Embed Size (px)
Citation preview
Research Proposal
A study of NIST SP 800-144 standard on IT risk management in cloud computing: Creating a novel framework for
implementing it in Small and Medium sized Enterprises (SMEs) by applying COSO and ISACA’s Risk IT frameworks
Sandeep Kaur SidhuStudent ID – 110075823
sidsy006@m ymail.uni s a.edu.au
Master of Science (Computer & Information Science)University of South Australia
Proposal submitted to the University of South AustraliaSchool of Information Technology &Computer Sciences
In partial fulfilment of therequirements for the degree of
Master of Science (Computer & Information Science)
Supervisor: Dr Kim-Kwang Raymond Choo
Date: June 2013
1
Abstract
Cloud computing is a new form of service-oriented computing in which, clients are
offered software applications, platforms, infrastructure, databases, and security as
services. Currently, there are unclear regulations and models about how cloud
computing vendors should undertake IT security and risk management accountabilities.
NIST SP 800-144 is the first standard by a regulatory body on cloud computing security
but it needs to be supported by other standards and empirical theories. The synergised
form of NIST SP 800-144 with COSO and Risk IT has been proposed for SMEs to
manage their own IT risks amidst limited expectations from cloud service providers, and
uncertainty of applicable regulations. The three standards can be used with an
assumption that not everything is in control of even large-scale enterprises but they still
manage their risks. The similar philosophy of certain internal practices in uncertain
external environment can be applied by SMEs as well. The findings reveal how SMEs
can plan their cloud hosting ambitions, how can they define their own standards and
expectations, how can they select multiple clouds, and how can they build their own
controls by using multiple cloud service providers, investing some additional sums.
2
Table of ContentsTable of Figures:.......................................................................................................................................4
Chapter 1: Introduction.............................................................................................................................5
1.1. Background and context...............................................................................................................5
1.2. Research motivation.....................................................................................................................8
1.3. Research aim and objectives....................................................................................................10
1.4. Research questions....................................................................................................................10
1.5. Contribution to the Research ....................................................................................................11
Chapter 2: Literature review..................................................................................................................12
2.1. Introduction..................................................................................................................................12
2.2. Empirical review of IT risk management..................................................................................12
2.3. IT risk management frameworks...............................................................................................14
2.4. Empirical review of cloud computing........................................................................................18
2.5. Security risks and IT risk management in cloud computing..................................................20
2.6. A review of NIST 800-144 framework.......................................................................................24
2.7. Summary......................................................................................................................................25
Chapter 3: Research Methodology.......................................................................................................26
3.1. Philosophy, approach, and methodology.................................................................................26
3.2. Research methods......................................................................................................................27
3.3. Sampling.......................................................................................................................................29
3.4. Data collection.............................................................................................................................30
3.5. Data analysis...............................................................................................................................31
3.6. Ethical considerations.................................................................................................................31
3.7. Summary......................................................................................................................................31
Chapter 4: Research significance and expectations..........................................................................33
4.1 Research Plan & Schedule.........................................................................................................34
4.2. Provisional Thesis Table of Contents.......................................................................................34
References...........................................................................................................................................36
3
Table of Figures:
Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4). . .7
Figure 2: An example integrated model of risk management framework in cloud
computing based on COSO framework (Horwath et al. (2012: p. 9).........................8
Figure 3: An overview of Risk IT Framework (ISACA, 2009, p. 33)...............................15
Figure 4: COSO Risk Management Framework (COSO, 2004, p. 2).............................17
Figure 5: The multi-level service oriented architecture in the cloud computing (Zhang,
Cheng, and Boutaba, 2009: p. 10)..........................................................................19
Figure 6: Research Plan………………………………………………………………………34
4
Chapter 1: Introduction
1.1. Background and context
This research is related to IT risk management challenges in cloud computing
and the practical implementation of NIST SP 800-144 standard specifically designed for
risk management in the clouds. Cloud computing has emerged as a new concept of
commodity services in the world of computing, storage, broadband network access,
platform services, and software services (Doherty, Carcary, and Conway, 2012: p. 2).
Cloud computing vendors, like Google, Microsoft, and Amazon offer rapid provisioning
of on-demand self-operating services with minimal intervention by the service provider
(Clemons and Chen, 2010: p. 3). These benefits are mostly availed by small and
medium scale enterprises given their lack of capital funding for establishing expensive
self-hosted IT infrastructures (Miller, 2009: p. 9-10).
Cloud computing offers many business benefits to customers, especially in
saving operating costs, managing IT enabled businesses with minimum administrative
overheads, and getting access to world class software platforms and applications
managed by their original manufacturers (Doherty, Carcary, and Conway, 2012: p. 2).
However, cloud computing has multiple IT risks due to shared platforms, data
confidentiality and privacy in user areas protected by virtual boundaries, identity thefts,
privacy issues, vendor or data lock-in, loss of governance, loss of compliance, insider
trading, and shared network and software vulnerabilities (Doherty, Carcary, and
Conway, 2012: p. 3-4; ENISA, 2010: p. 5-6). Given that the cloud computing systems
5
are multi-vendor and multi-tenant, a standard legally-enforceable risk management
framework incorporating all service providers and tenants is the key challenge (ENISA,
2010: p. 3).
Risks in cloud computing arise due to shared services, cross-border litigation,
data location, inter-cloud compatibility issues, lack of legal support for consumers, trust
issues on service providers, IT security risks, consumer issues, privacy issues, data
segregation issues, and data proliferation issues (Chandran and Agnepat, 2010: p. 3-5
Clemons and Chen, 2010: p. 5-7; Fan and Chen, 2012: p. 23-24; Jansen, 2011: 2-4;
Sabahi, 2011: p. 245-247).
Fan and Chen (2012: p. 20-21) proposed that there should be an integrated risk
management standard incorporating regulators, service providers, and customers. This
standard should take care of cross-border litigation issues and data location uncertainty,
as well. A model for analysing risks at component levels of multiple layers of cloud
computing needs to be established and agreed among all parties based on their
priorities and impacts. This can be done by applying globally accepted standards like
COSO, Risk IT (COBIT 5), and ISO 27005. For example, Ahmad and Janczewski
(2010: p. 4) presented a triangulated model of cloud computing security employing
integration of globally accepted security standards, statutory laws, and cloud services
(Figure 1). In this model, the cloud service provider can choose any standard or set of
standards for implementing risk management as long as they are integrated with the
statutory laws and regulations applicable on the services offered. Hence, if Sarbanes
Oxley 2002 regulators recognise ISO 27005 for self hosted IT infrastructures, cloud
computing service providers can adopt ISO 27005 and customise it for implementing an
6
effective IT risk management framework covering each component on the cloud such
that they can demonstrate compliance to Sarbanes Oxley regulations.
Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4)
Horwath et al. (2012: p. 8-9) presented an example scenario (Figure 2) of how
such an integrated model can be implemented using COSO (Committee of Sponsoring
Organizations of the Treadway Commission) risk management framework. They
integrated the candidates offering cloud solutions, service delivery models, deployment
models, business processes, and regulatory governance requirements in a single risk
management framework based on COSO standard. They recommended that the COSO
enterprise risk management framework can be used to define, establish, and
7
continuously improve an audit checklist used by regulators. Once standardised
enforced, all cloud services and solutions providers will implement controls in
accordance to the standard and incorporate terms in agreements with specific roles of
cloud tenants and service providers.
Figure 2: An example integrated model of risk management framework in cloud
computing based on COSO framework (Horwath et al. (2012: p. 9)
1.2. Research Motivation
The problem is that there is a need of standardised risk management framework
for cloud computing framework accepted globally for regulatory compliance. Cloud
Security Alliance recommended standard methods for risk management on cloud
8
computing (IET, 2012: p. 3). However, these recommendations have not been
standardised by regulation authorities. Mostly, regulation authorities prefer ISO 27005,
ISO 27001, ISO 27002, and COBIT standards for demonstrating regulatory compliance
of IT security and risk management (IET, 2012: p. 5-6). Cloud service providers need to
find ways for using these standards for IT risk management. A new ISO standard (ISO
27017) is emerging for cloud computing risk management that is expected to be ratified
in year 2014. It may be the preferred choice of regulators, but till then there is a serious
lack of internationally accepted standards fit for regulatory compliance of security and
risk management of cloud service providers (Rittinghouse and Ransome, 2010: p. 158-
159). This problem poses a serious business risk for SMEs given that they have most
prominent reasons to adopt cloud computing services and are rapidly moving their IT
systems to the clouds (Dai, 2009: p. 56; Haselmann and Vossen, 2011: p. 10; Jansen
and Grance, 2011: p. 21; Karabek, Kleinert, and Pohl, 2011: p. 28).
NIST SP 800-144 is the first US regulatory standard for implementing risk
management in the clouds (Jansen and Grance, 2011). This standard is released in
year 2011 but is not yet adequately supported by implementation procedures such that
cloud providers can adopt a standardised framework for managing cloud risks. This
standard needs exploratory study such that it can be mapped with other established risk
management standards used for IT risk management. The above problem description
and this challenge have been taken as the research problem. The researcher intends to
explore NIST SP 800-144 standard and map it with COSO and ISACA’s Risk IT
standards such that an appropriate risk management framework for SMEs using cloud
computing can be proposed.
9
1.3. Research aim and objectives
With reference to the above established background and context, and the
research problem, following research aim is defined for this research:
Aim: To explore NIST SP 800-144, COSO, and Risk IT standards and the existing
theories complimenting their recommendations, and propose an IT risk management
framework for SMEs using cloud computing to run their businesses. In absence of
established standards proposed by regulators, this research will aim on how SMEs can
protect themselves from IT risks while using cloud hosted resources.
The aim is supported by the following research objectives:
(a) To study the IT risk exposures of businesses using cloud computing resources
(b) To explore NIST SP 800-144, COSO, and Risk IT standards and the existing
theories complimenting their recommendations
(c) To analyse how these standards can help the SMEs, dependent upon cloud
hosted resources for running their businesses, in managing IT risks
1.4. Research questions
This research is directed by the aim and objectives proposed above for finding
answers to the following research questions:
(a) What are the IT risk exposures of businesses that use cloud hosted resources for
running their business processes?
(b) How NIST SP 800-144 standard could be supported by COSO and Risk IT
standards and the existing theories complimenting their recommendations?
10
(c) How can NIST SP 800-144, COSO, and Risk IT standards help SMEs dependent
upon cloud hosted resources in managing their IT risks?
These questions will be answered through exploratory studies of literatures on cloud
computing security and risk management and stated standard documents.
1.5. Contribution of this research
The NIST SP 800-144 standard cannot serve the purpose of creating and
implementing security policies and procedures on cloud computing. It definitely has
some firm guidelines but they need to be augmented by practical research studies and
outcomes. In this research, the researcher has identified and reviewed the literatures
presenting recommendations on controls useful for augmenting with the
recommendations of this standard. This research presents a consolidated view of such
controls and presents an actionable framework that can be tested and adopted in real
world environments or used for further research.
11
Chapter 2: Literature review
2.1. Introduction
Cloud computing is a new framework for delivering IT services to customers
connecting to its various layers through Internet. It has gained significant popularity in
recent years due to lowered capital expenses and affordable revenue expenses offered
to cloud tenants. However, the threats and uncertainties looming on cloud computing
are wider due to shared infrastructures, virtual tenant boundaries, and spreading of data
across multiple locations beyond territorial jurisdiction due to virtualised storage
systems networked using virtual networking. These challenges have caused privacy
and trust issues leading to reluctance by many business entities and public sector
organisations in adopting cloud services. Looking into these challenges, NIST has
released a standard SP 800-144 for managing risks on cloud computing. Given that it is
a new standard, there are no academic references on practical implementation of SP
800-144 in organisations. The research is proposed to combine SP 800-144 with two
popular risk management frameworks, ISACA’s Risk IT and COSO, to design an
actionable risk management framework for Small and Medium scale enterprises using
cloud hosting for their IT services needs. The resulting framework will be validated by
interviewing risk management practitioners.
2.2. Empirical review of IT risk management
Risk management in IT is concerned with protection of IT assets such that the
negative impacts on business due to loss, unauthorised modifications, or unavailability
of an IT asset can be minimised or eliminated completely (Humphreys, Moses, Plate,
12
1998: p. 11). IT assets comprise of information units (business-related documents and
records), and the assets used for creating, processing, disseminating, storing,
transmitting, and archiving the information units (Humphreys, Moses, Plate, 1998: p.
11). IT assets are exposed to numerous threats emanating from the Internet or internal
hackers (Elgarnal, 2009: p. 12). These threats can compromise the confidentiality,
integrity, and availability of IT assets leading to financial, legal, reputational, customer,
and employee impacts to the organisation (Dhillon and Backhouse, 2000: p. 126;
Humphreys, Moses, Plate, 1998: 9). Identification, assessing, and management of IT
risks are needed to reduce or eliminate the vulnerabilities such that the external threats
do not compromise the IT assets and their confidentiality, integrity, and availability
(Anderson and Choobineh, 2008: p. 24; Humphreys, Moses, Plate, 1998: 14; Ozkan
and Karabacak, 2010: p. 568).
The risk identification, assessment, and management framework comprises
quantitative evaluation of influencing factors and assigning values to them (Ozkan and
Karabacak, 2010: p. 572; Humphreys, Moses, Plate, 1998: 22). They key values of
concern are importance of assets to the business, most relevant threats, magnitude of
impacts on business, probability of impacts, and internal vulnerabilities prevailing in the
IT systems of the organisation (Gandotra, Singhal, and Bedi, 2009: p. 720-721;
Humphreys, Moses, Plate, 1998: 24-25; Ozkan and Karabacak, 2010: p. 570). The risk
value is a quantitative outcome of asset value (a function of confidentiality, integrity, and
availability ratings), threat value (product of probability value and impact value), and
vulnerability value (probability of breach) (Gandotra, Singhal, and Bedi, 2009: p. 722;
Humphreys, Moses, Plate, 1998: 25). Finally, all risks are logged in an enterprise-wide
13
risk register and assigned to individual risk managers for invoking risk treatment by
avoiding, accepting, transferring, or eliminating the risks (Shortreed, 2008: p. 10-11).
2.3. IT risk management frameworks
Some of the popular IT risk management frameworks are ISO 27001 (BSI, 2005),
ISO 27005 (BSI, 2008), NIST 800-30 (NIST, 2001), ISACA’s Risk IT (ISACA, 2009), and
COSO. ISO 27001 is a standard for implementing information risk management system
using information risk management as the fundamental framework and building upon it
the management system for establishing, operating, reviewing, and improving an
information security management system (BSI, 2005: p. 8-9). ISO 27005 and NIST 800-
30 deal with a framework of information risk management system comprising risk
identification, risk assessment, risk prioritisation, risk treatment, and application of
controls using qualitative and quantitative data collection and analytical methods (BSI,
2008: p. 10; NIST, 2001: p. 8). ISACA’s Risk IT is a modern IT risk management
framework that considers an organisation-wide risk view system as the core of the
framework enabling all departments to view the bigger picture and treat risks
accordingly. COSO risk management framework follows a similar approach with specific
focus on people aspects of IT risk management and risk aware culture in the
organisation at all levels of the organisational hierarchy, irrespective of designation,
role, and responsibilities (COSO, 2004: p. 18).
The frameworks chosen for integrating with NIST 800-144 framework are
ISACA’s Risk IT and COSO risk management framework. These frameworks have been
chosen because of two reasons:
14
(a) There are sufficient references available on these standards for establishing a
theoretical foundation.
(b) Both these standards focus on organisation-wide risk views ensuring bigger
picture visualisation of IT and related risks. In cloud computing, the risk
management framework needs to protect all tenants and hence such a model
has been recommended by NIST 800-144, as well. Hence, it is expected that
the three models will synergise effectively.
Figure 3: An overview of Risk IT Framework (ISACA, 2009, p. 33)
The ISACA’s Risk IT framework is presented in the Figure 1 above. The Risk IT
framework comprises three primary domains – risk governance, risk evaluation, and risk
15
response. The idea of enterprise-wide view of IT risks is to ensure that they can be
treated keeping the bigger picture in consideration and ultimately are integrated with the
enterprise-wide risk management framework. This is to ensure that when risk-aware
analysis is done, the IT risks are included in the risks considered for making business
decisions. The focus is not only on technical risks but also is on IT-linked business risks
such that the risk profile of maintained for IT systems can be linked with business
objectives and business risks. In this way, IT-related risks are prioritised keeping in view
their linkage with high priority business risks. The IT systems linked with high business
risk profiles from business perspective are prioritised. Such decisions are made by
business in collaboration with IT, which is the key advantage of enterprise-wide visibility
of IT risks and their linkages with business risks. The risk response is carried out
accordingly. (ISACA, 2009: 34-37)
The COSO model of risk management is presented in the Figure 2. It is an
enterprise-wide risk management framework with IT risk management embedded within
the larger system. This model is based on risk appetite and risk management
philosophy defined in the organisation, which is based on various internal standards
maintained by the management. In this model, risk appetite and tolerance levels are
defined as a part of business objectives of the firm. The rest of the model has been
taken from NIST 800-30 and ISO 27005 standards for risk identification, assessment,
prioritisation, and treatment, and communications, monitoring, and control systems for
ensuring appropriate risk-aware culture within the organisation. Risk-related culture is
viewed as the core of COSO framework. (COSO, 2004: 3-12)
16
Figure 4: COSO Risk Management Framework (COSO, 2004, p. 2)
The risk management modelling for cloud computing has been carried out by
integrating COSO and ISACA’s Risk IT and using them as supporting frameworks for
NIST 800-144 standard. This integration can enable integration of two major
philosophies proposed by the two standards – organisation wide risk view and risk-
related organisational culture. These two philosophies can be viewed as primary
enablers of accurate categorisation and treatment strategy of risks and of effectiveness
of security controls for treatment of risks. In cloud computing, multiple flavours of
service providers (SaaS, PaaS, and IaaS, as discussed in the next section) serve
numerous tenants (clients) for various business purposes. Hence, the organisation wide
17
risk view philosophy will result in sharing of risks-related information with all
stakeholders with clear demarcation of accountabilities at service providers’ end and
clients’ end. Such a demarcation will enable the SaaS, PaaS, and IaaS providers
(discussed in the next section), and the clients to identify the controls needed at their
respective ends and own them.
Having reviewed the empirical theories and models in IT risk management, the
next step is to understand cloud computing closely and identify the risks prevailing in
cloud IT environments. The next section presents an empirical view of cloud computing.
2.4. Empirical review of cloud computing
Cloud computing is characterised by three forms of delivery, as described by
NIST in their technology roadmap for cloud computing, Vol. II (Badger et al., 2011: p.
11-15). These models are:
(a) Software as a service (SaaS)
(b) Platform as a service (PaaS)
(c) Infrastructure as a service (IaaS)
The three models have different service offerings and mode of deliveries. The
SaaS providers use PaaS clouds to host business applications on various platforms and
the PaaS providers use IaaS clouds to energise their platforms. Mostly, SaaS providers
are direct interfaces to customers. Customers interface with PaaS clouds for developing
in-house cloud-based development capabilities. Some customers interface with IaaS
clouds for renting raw storage and computing powers. (Badger et al., 2011: p. 16-21;
Chorafas, 2011: p. 24-30)
18
As per Qian, Luo, Du, and Guo (2009: p. 628-629), Microsoft Azure and Google
App Engine can be classified as a PaaS clouds, Google Apps can be classified as SaaS
cloud, and Amazon Elastic Compute can be classified as an IaaS cloud. Zhang, Cheng,
and Boutaba (2009: p. 10) elaboration such a classification in their multi-level service
oriented model presented below:
Figure 5: The multi-level service oriented architecture in the cloud computing (Zhang,
Cheng, and Boutaba, 2009: p. 10)
As per the multi-level service oriented model by Zhang, Cheng, and Boutaba
(2009: p. 10-12), cloud hosted applications like saleforce.com and mysap.com, that
keep their platforms hidden from customers, may be categorised as SaaS providers.
19
Microsoft Azure and Google App Engine open their platforms for customers for
developing applications and hence may be categorised as PaaS providers. Amazon
EC2 and Go Grid offer their infrastructure services (elastic computing and storage) to
customers for deploying their own platforms. Hence, they may be categorised as IaaS
providers.
Tai, Nimis, Lenk, and Klems (2010: p. 4-9), Amburst et al. (2010: p. 50-54), and
Miller (2009: p. 23-30) presented the following benefits of cloud computing for end-
customers:
(a) Elastic computing and storage facilities
(b) Rapid application development and deployment
(c) Pay-per-usage model
(d) No administrative, obsolescence, and upgrading hassles
(e) State of the art infrastructure and platforms
(f) Access to world class business applications
(g) Ubiquitous access
(h) Easy commissioning and decommissioning
(i) No capital expenses
(j) Affordable recurring expenses
These benefits have attracted a number of end-customers to cloud computing resulting
in rapid and significant growth of this industry. However, there are some security risks
that needs to be managed effectively on cloud computing. Unlike self-hosted
20
infrastructures, risk management is not that straightforward in cloud computing. These
aspects are discussed in the next section.
2.5. Security risks and IT risk management in cloud computing
Cloud computing employs the same IT infrastructure components as employed in
self hosted IT infrastructures. However, the differentiation is due to virtualisation and
web services architecture (web 2.0) based multi-tenancy framework. Modern
organisations maintain internal security controls and hire people to manage them.
However, if competitors connect to the same IT infrastructure and use shared IT
resources for running their business applications, there are doubts on trustworthiness
and reliability of the personalised environments provided by the service providers. The
competitors worry about data proliferation across the virtual boundaries established for
tenants on cloud computing. The scenario becomes more challenging when most of the
security controls are managed by the cloud service providers and the tenant
organisations lack visibility as well as control on their data security. These challenges
drives security risks and IT risk management on cloud computing. (Sabahi, 2011: p.
245-246; Jansen, 2011: 2-3)
The cloud service providers deploy large-scale infrastructures with state-of-the-
art security technologies. Hence, there is less chance that the traditional security risks
striking self-hosted IT may strike clouds. The challenges are more related to multi-
tenancy, pooling of shared infrastructure components, and common access to
applications. The IT resource provisioning is normally implemented through
virtualisation and web 2.0 interfacing for applications access. Hence, virtualisation and
21
web services security risks are more prominent on cloud computing. (Jansen and
Grance, 2011: p. 8-10; Jansen, 2011: 4-5)
Given that cloud computing comprises shared infrastructure components; the
boundaries around work areas offered to tenant are virtual and protected by security
settings in virtualised servers and network components. Hence, tenant organisations
perceive unclear risk profiles of identity theft, privilege hacking, exploits, session
masquerading, and other Internet and virtualisation-based exploits. In addition to
unknown risk profiles due to virtualised environments and web services architecture, the
tenant organisations have little controls on security-related settings on the clouds. Most
of the controls are managed by the platform and infrastructure services providers
interfacing with the software-as-a-service provider. Hence, tenant organisations are
unclear about their role in risk treatment and the effectiveness of risk treatments
conducted by the service providers. The strength of virtualised boundaries is unclear
and hence tenant organisations are unsure about protection of their data from Internet
threats, competitors’ activities, proliferation attempts, insider trading, lock-in attempts
(by the cloud service providers), and breaches of confidentiality, integrity, and reliability.
(Sabahi, 2011: p. 246-247; Jansen, 2011: p. 6; Jing and Jian-Jun, 2010: p. 477; Tripathi
and Mishra, 2011: p. 3)
Another significant challenge facing effective risk management on cloud
computing is related to auditing and forensics for control effectiveness testing and
regulatory compliance. The cloud providers need to provide standard interfaces, system
generated logs, tenant specific logs, auto-generated hash functions, virtual machine
cloning/regeneration, and snapshots of tenant databases for law enforcement, forensic
22
investigations, and regulatory auditing. The traditional host-based forensics, system
auditing, vulnerability analysis, penetration testing, and other popular mechanisms need
to be taken to the clouds in service oriented approach. New technology and legal
dimensions need to involve for distributed computing, virtualised infrastructures, and
web services architectures to address this gap. (Chen et al., 2013: p. 44-46; Chen and
Yoon, 2010: p. 255-256; Ruan et al., 2011: p. 8-10; Taylor et al., 2011: p. 6)
Risk management in cloud computing is different compared to self-hosted IT
systems of individual organisations. In clouds, risk management needs to be
implemented in multi-agency mode, whereby each agent may be a different
organisation or a different service provider. In such a scenario, an enterprise-wide view
of risk may be difficult to achieve making risk treatments disconnected with business
objectives and performance goals. This is highly risky for tenant organisations as well
as service providers. Tenant organisations may be affected due to irrational approach of
risk identifications and treatments causing poorer security and privacy controls. Service
providers may by affected by losing clients and market share if a major data breach
occurs that affects multiple tenants hooked to their respective clouds. Hence, there
needs to be a mechanism of common risk view in which, all agents access a common
risk registry, log their risks, and publish reports of their mitigation activities. The tenant
organisations can log into the registry and view the treatments of the risks that they are
concerned about. In this way, there will be transparency and integration of risk
management on the cloud. The risks may be treated using hierarchical analytics of each
layer of the cloud such that the tenant organisations gain visibility into risk treatments of
the layers invisible to them. This framework combined with standardised forensics and
23
cloud audits can enhance cloud computing reliability considerably. (Mukhin and
Volokyta, 2011: p. 739; Peiyu and Dong, 2011: p. 3202; Zech, 2011: 413; Zhang et al.,
2010: p. 1331-1332)
The reviews presented in above paragraphs are outcomes of academic research
studies. However, they are not standardised for application in a cloud environment.
NIST SP 800-144 is the first attempt to standardise cloud computing security. A review
of the standard is presented in the next section.
2.6. A review of NIST 800-144 framework
The NIST SP 800-144 standard’s framework is presented with six chapters
including introduction and conclusion. The key chapters are Chapter 4 on issues and
propositions concerning security and privacy on cloud computing, and Chapter 5 on
secured outsourcing of public clouds. The standard presents issues and propositions on
the following (Jansen and Grance, 2011: p. 14-35):
(a) Governing deployment, expansion, and change management in cloud
computing
(b) Meeting compliance obligations on the clouds
(c) Achieving trustworthy computing on the clouds
(d) Standardisation of cloud computing architecture taking care of security,
auditing, and other requirements
(e) Access control and identity protection on the clouds
(f) Isolating software and platform environments on cloud computing
(g) Protecting data and its life cycle on the clouds
24
(h) Ensuring data availability on the clouds
(i) Responding to incidents in clouds
The standard addresses most of the concerns raised in academic literatures by
scholars. However, the recommendations need to be tested in practical environments
by executing pilot testing or running simulations. In addition to these propositions, the
standard presents detailed plan of activities when moving IT resources to cloud
computing environments. It has a separate section of recommendations for small and
medium scale enterprises that need cloud computing to run their IT-enabled
businesses. (Jansen and Grance, 2011: p. 14-35)
2.7. Summary
In this chapter, a detailed literature review pertaining to the research topic is
presented. The literature review forms a background of empirical theories on IT risk
management, popular risk management models and cloud computing in general. In
addition, specific sections on IT risks on cloud and NIST SP 800-144 standard’s
framework are presented. In this way, the context of this research with all background
information is clarified. The next chapter presents a detailed review of research
methods and presents a finalised research design for this study.
25
Chapter 3: Research design
3.1. Philosophy, approach, and methodology
Every research follows the epistemological or ontological philosophies that have
emerged in hundreds of years of human knowledge building (Bryman and Bell, 2007: p.
9). Epistemology deals with acceptance of knowledge gained through knowledge
building efforts (like research) by the interested communities (like, scientists, physicists,
engineers, and philosophers) (Bryman and Bell, 2007: p. 9-10). Ontology deals with
interrelationship between the structural frameworks of social systems and human
beings (Bryman and Bell, 2007: p. 10). Hence, ontology is mostly concerned with social
research (Bryman and Bell, 2007: p. 10).
Epistemology has two philosophies depending upon the way knowledge is
developed from a knowledge building exercise. Interpreters build knowledge by
exploring and generating theories whereas positivists build knowledge by confirming
and proving theories. Interpreters use an inductive approach of knowledge building in
which, knowledge generation is based on evidences and examples. Positivists use the
deductive approach of knowledge building in which, knowledge generation is based on
scientific experiments, mathematics, statistics, simulation or any other accepted
confirmatory technique. Inductive approach is mostly associated with qualitative
research methodology that is used for organised data collection in the form of text and
images. Deductive approach is mostly associated with quantitative research
methodology that is used to collect data in numerical form only. (Bryman and Bell, 2007:
p. 11-15; Collis and Hussey, 2009: p. 24-27; Saunders, Lewis, and Thornhill, 2011: p.
114-121)
26
In this research, the researcher wants to explore three standards of risk
management – NIST SP 800-144, COSO, and ISACA’s Risk IT. The data collection will
comprise mostly text and images. The researcher wants to use evidences from various
literatures to generate theories. For this approach, the combination of interpretive
philosophy, inductive approach, and qualitative methodology is most suitable. Accepting
these as choices of this research, a review of research methods under qualitative
methodology is presented in the next section.
3.2. Research methods
Qualitative studies are conducted by collecting text and images, reducing,
organising and coding of information, and making interpretations with the help of
existing empirical theories (Saunders, Lewis, and Thornhill, 2011: p. 141). The key
research methods under qualitative methodology are the following (Saunders, Lewis,
and Thornhill, 2011: p. 141-151; Thompson and Walker, 1998: p. 65-70):
(a) Anthropological Ethnography: This technique has been used historically for
observing cultures and communities and collect significant amount of textual,
image, and video data. Ethnography involves data collection through mostly
observations and occasional chatting (not interviewing or surveying). It
generates significant amount of data that needs to be sorted, categorised,
reduced, and codified for deriving meaningful information for
comparing/contrasting with results of other research studies.
(b) Phenomenology: This technique is based on learning from collective
experiences of human beings. It involves interviewing or surveying human
27
beings related to their experiences on the phenomena under study. Normally,
such research studies return highly valid data given that collective
experiences of a large number of human beings cannot be wrong. Accurate
sampling is the key to success of phenomenology.
(c) Grounded Theory: Grounded theory involves organised data collection from
research settings and comparing them with pre-established theories. It is a
lengthy process and requires high interpretation skills to analyse the data
collected accurately as well as the results of comparing/contrasting with
previously established theories.
(d) Action Research: It is also referred to as participatory research. In action
research, the researcher participates with subjects in a research setting and
works closely with them to find out solutions to the research problems
prevailing in the research setting.
(e) Delphi: It is an iterative decision-making process in which, opinions of a group
of respondents are taken in multiple rounds of questioning and sharing with
the results each round. It is widely used for consensus building.
(f) Archival study: It involves an organised study of archives related to the
research problem. It is mostly based on secondary data.
The choice of researcher in this study is archival research. The researcher
intends to study published documents on NIST SP 800-144, COSO, and ISACA’s Risk
IT, and related research studies. The research questions pertain to IT risk exposures of
SMEs on cloud computing, employing NIST 800-144 with supported standards (Risk IT
and COSO), and formulating an IT risk management framework for SMEs on cloud
28
computing. These research questions can be addressed through archival research
because of excellent availability of literatures, published standards, and published
research reports. It is expected that this research will gain sufficient insight into the
standards and underlying theories supporting them. This will help in gaining a
reasonable level of generalisability in this research.
3.3. Sampling
In qualitative methodology, sampling may be of judgmental type, quota type,
snowball type, or convenience (access-based) type (Collis and Hussey, 2009: p. 209-
214). Judgmental sampling type helps the researcher to choose units in the sample as
per pre-determined criteria established to meet the research objectives. Quota sampling
type employs judgmental sampling as well, but the sample units are taken from multiple
populations based on a quota assigned per population. Snowball sampling type helps
the researcher to build the sample gradually in parallel with progress of the research.
Convenience sampling type helps the researcher to build the sample based on
availability of population members.
In this research, the judgmental sampling type is chosen such that the sample
units are based on researcher’s chosen criteria for selection. The following criteria have
been used for choosing the sample units from the population (books, journals, published
research studies, standards documentation, and such other reliable sources):
(a) Is a reliable and reviewed source
(b) Is based on primary or secondary data, and insights from experts in this field
29
(c) Relevant to the research topic and context (risk management on cloud
computing)
(d) Will help in answering research questions and meet the objectives
(e) Will help in developing a theoretical framework for managing risks on cloud
computing for SMEs
Sampling has been conducted using an iterative reading approach. In the first
round a large number of references have been chosen with general keywords, like
cloud computing security, cloud computing risk management, and security standards on
cloud computing. The summaries of all these references were studied and a first sample
set was chosen based on the sampling criteria presented in above. The researcher
studied the references in the first sample set in detail and rejected the ones that do not
deliver relevant information needed for this research. After the rejections, the second
sample set was chosen and finalised.
3.4. Data collection
The researcher has primarily accessed reputed databases for collecting the
sources in the sample. The key databases used are IEEE Xplore, ACM, Science Direct
(Elsevier and Pergamon), Emerald, and Springer. In addition, the researcher has
included published research studies on websites of universities at master and doctorate
levels. The core references about the standards reviewed have been taken from the
COBIT, COSO, and NIST websites. Some popular books published by reputed
publishers (like Pearson, Elsevier, IGI, and CRC) have been chosen, as well. Data was
collected in two forms – in exploratory form and reviewed in Chapter 2, and in tabulated
30
form and presented in Chapters 4, 5, and 6. In Chapter 2, data is collected and
reviewed to build the knowledge of theories and in Chapters 4, 5, and 6, data is
collected to find answers to the research questions.
3.5. Data analysis
Data analysis is conducted qualitatively by collecting the relevant definitive points
from the references and analysing them. As proposed by Saunders, Lewis, and
Thornhill (2011: p. 143-145), data analysis should be conducted in such a way that the
data sets reflect the theories applied in them and point towards new theories evolving
from such applications. In Chapter 2, the data collected from references will be
reviewed. The theoretical foundation will be established and with its help background
will be prepared for answering the research questions.
3.6. Ethical considerations
Collis and Hussey (2009: p. 74-76) warned that the researcher should be careful
in conducting the research ensuring that there is no deception, dishonesty, or bias. In
this research, there are no human respondents. However, use of secondary sources
invokes the need for protecting their intellectual property rights and protecting the
research against plagiarism. Hence, all sources have been cited within the contents and
a list of references is included at the end. In addition, all figures have been redrawn.
3.7. Summary
The following is the summary of the research design chosen in this research:
(a) Philosophy – interpretive
31
(b) Approach – inductive
(c) Methodology – qualitative
(d) Method – archival
(e) Sampling – judgmental
(f) Data collection – iterative reading and collecting definitive facts
(g) Data analysis – qualitative interpretations of data tabulated against the
research questions
(h) Ethics – citation, referencing, and drawing original figures
32
Chapter 4: Research significance and expectations
This research will be significant for researchers studying change in business
risks and IT risks of SMEs that have moved their IT resources to cloud computing. This
research may serve as a useful reference document for such research aspirants,
especially in the fields of security controls and risk management for SMEs using cloud
computing. In addition, this research may be able to generate some useful information
for SMEs using cloud hosted resources looking forward to methods and ways for
managing IT risks. This research shall produce a synergy of three professional
standards and clarify their implementation approaches with the help of academic
literatures. Hence, it is expected that the results will be actionable in real world business
environments. Given an opportunity, the researcher will look forward to disseminate the
knowledge gained through the university website, journals, and conferences.
The following results are expected in this research:
(a) A detailed review of literatures for identifying controls that can be used with NIST
SP 800-144 standard
(b) Mapping of NIST SP 800-144 recommendations with the controls identified, and
with COSO and Risk IT standards
(c) Analysis of how this mapping will help SMEs using cloud hosted resources in
managing their IT risks
These results will help in enhancing practical implementation of IT risk
management in cloud computing using NIST SP 800-144 standard. The results will
33
present a consolidated view of opportunities to address security and privacy issues on
the clouds. Some controls may be easily implementable and some of them may require
long term multi-agency alignments and policy changes. However, the consolidated view
can be helpful in preparing short-term and long-term goals for enhancing IT risk
management on the clouds.
4.1 Research Plan & Schedule
The following table provides the schedule and planned time for researching on the proposed topic.
Date Assignment27th February 2013 Project & Supervisor02nd March 2013 Topic of thesis
03th March – 7th March 2013 Planning of research work 08th March – 30th April 2013 Literature Review11th April – 20th April 2013 Annotated bibliography writing
22nd April 2013 Annotated Bibliography submission23rd April – 16th May 2013 Finalize Research Question17th May – 30th May 2013 Research Proposal Writing1rd June – 10th June 2013 Minor Thesis proposal Submission & presentation
11th June 2010 - 25th July 2013 Data Collection26th July – 25th August 2013 Evaluation of data collected from theories
26rd August – 30th September 2013 Thesis writing15th October 2013 Draft submission20th October 2013 Receive comments for Corrections28th October 2013 Final Minor Thesis
Figure 6: Research Plan Table
4.2 Provisional Thesis Table of Contents
Abstract
Table of Figures
Chapter 1: Introduction
34
1.1Background and Context1.2Research Problem1.3Research aim and objectives1.4Research questions1.5Research significance and expectations1.6Structure of dissertation
Chapter 2: Literature Review
2.1Introduction 2.2Empirical review of IT risk management2.3IT risk management frameworks2.4Empirical review of cloud computing2.5Security risks and IT risk management in cloud computing2.6A review of NIST 800-144 framework2.7Summary
Chapter 3: Research design
Chapter 4: Findings against research question 1
4.1Findings4.2Discussions4.3Summary
Chapter 5: Findings against research question 2
5.1Findings5.2Discussions5.3Summary
Chapter 6: Findings against research question 3
6.1Findings6.2Discussions6.3Summary
Chapter 7: Conclusions and Recommendations
7.1Conclusions7.2Recommendations
References
35
References
Ahmad, R. and Janczewski, L. (2010). "Triangulation theory: An approach to mitigate
governance risks in clouds", IEEE: p. 1-8.
Amburst, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R., Konwinski, A., Lee, G., Patterson, D.,
Rabkin, A., Stoica, I. and Zaharia, M. (2010). “A View of Cloud Computing”.
Communications of the ACM, Vol. 53 (4): p. 50-58. ACM.
Anderson, E. E. and Choobineh, J. (2008). "Enterprise information security strategies".
Computers and Security, Vol. 27: p. 22-29. Elsevier.
Badger, L., Bohn, R., Chu, S., Hogan, M., Liu, F., Kaufmann, V., Mao, J., Messina, J., Mills, K.,
Sokol, A., Tong, J., Whiteside, F. and Leaf, D. (2011). “U.S. Government cloud
computing technology roadmap – Volume II”, Special Publication 500-293, NIST (U.S.
Department of Commerce): p. 6-76.
Bakshi, K. (2011). “Considerations for Cloud Data Centers: Framework, Architecture and
Adoption”. IEEE: p. 1-7.
Bryman, A. and Bell, E. (2007). “Business Research Methods”. Second Edition. London: Oxford
University Press.
Chandran, S. P., and Angepat, M. (2010). "Cloud Computing: Analysing the risks involved in
cloud computing environments", IEEE: p. 1-6.
Chen, Z. and Yoon, J. (2010). "IT Auditing to Assure a Secure Cloud Computing", IEEE: p. 253-
259.
Chen, Z., Han, F., Cao, J., Jiang, X., and Chen, S. (2013), "Cloud Computing-Based Forensic
Analysis for Collaborative Network Security Management System", IEEE Computer
Society: p. 40-50.
Chorafas, D. N. (2011). “Cloud Computing Strategies”, London: CRC Press, Taylor and Francis
Group.
36
Clemons, E. K., and Chen, Y. (2010). "Making the Decision to Contract for Cloud Services:
Managing the Risk of an Extreme Form of IT Outsourcing", In CloudAsia2010, 2-7 May,
2010, Singapore, p. 1-10.
Collis, J. and Hussey, R. (2003) “Business Research: a practical guide for undergraduate and
postgraduate students”. second edition, Basingstoke: Palgrave Macmillan.
Cooper, D. and Schindler, P. (2003). “Business Research Methods”. Statistics and Probability
Series. Seventh Edition, London: McGraw Hill International Edition.
Dai, W. (2009). "The impact of emerging technologies on small and medium enterprises
(SMEs), Journal of Business Systems, Governance and Ethics, Vol. 4 (4): p. 53-60,
School of Law, Victoria University, Melbourne.
Dhillon, G. and Backhouse, J. (2000). "Information System Security Management in the New
Millennium". Communications of the ACM, Vol. 43 (7), p. 125-128.
Doherty, E., Carcary, M. Dr., and Conway, G. (2012). "Risk Management Considerations in
Cloud Computing Adoption", Research by Innovation Value Institute (IVI), p. 2-7.
Elgarnal, T. (2009). "The new predicaments of security practitioners". Computer Fraud and
Security, Vol. November 2009: p. 12-14. Elsevier.
ENISA (2010). "Cloud computing: benefits, risks and recommendations for information security",
European Network and Information Security Agency, p. 1-6.
"Enterprise Risk Management–Integrated Framework: application techniques", Committee of
Sponsoring Organizations of the Treadway Commission (COSO), 2004, p. 2-112.
Everett, C. (2011). “A risky business: ISO 31000 and 27005 unwrapped”, Computer Fraud and
Security, February 2011: p. 5-7. Elsevier.
Fan, C. and Chen, T. (2012). "The Risk Management Strategy of Applying Cloud Computing",
International Journal of Advanced Computer Science and Applications, Vol. 3 (9): p. 18-
27.
37
Gandotra, V., Singhal, A. and Bedi, P. (2009). “Threat mitigation, monitoring and management
plan - a new approach in risk management”. IEEE Computer Society: p. 719-723.
Haselmann, T. and Vossen, G. (2011), "Software-as-a-Service in Small and Medium
Enterprises: An Empirical Attitude Assessment", European Research Center for
Information Systems (ERCIS), University of Munster, Germany, p. 1-14.
Herath, T. and Rao, H. R. (2009). Encouraging information security behaviors in organizations:
Role of penalties, pressures and perceived effectiveness. Decision Support Systems,
Vol. 47: p. 154-165. Elsevier.
Herath, T. and Rao, H. R. (2009). "Protection motivation and deterrence: a framework for
security policy compliance in organizations". European Journal of Information Systems,
Vol. 18, p. 106–125, Operational Research Society. Palgrave Journals.
Horwath, C., Chan, W., Leung, E., and Pili, H. (2012). "Enterprise Risk Management for Cloud
Computing", Thought Leadership in ERM, Committee of Sponsoring Organizations of the
Treadway Commission (COSO) research paper, p. 3-32.
Humphreys, E. J., Moses, R. H., Plate, E. A. (1998). “Guide to BS7799 risk assessment and
management”. London: British Standards Institution, p. 1-74.
IET (2012), "Cloud Computing - The Security Challenge", Fact file by The Institution of
Engineering and Technology, p. 1-8.
“Information Technology — Security Techniques — Information Security Management System”.
International Standard. BS ISO/IEC 27001:2005. British Standards Institution (BSI),
2005: p. 7-35.
“Information Technology — Security Techniques — Information Security Risk Management”.
International Standard. BS ISO/IEC 27005:2008. British Standards Institution (BSI),
2008: p. 9-27.
Jansen, W. A. and Grance, T. (2011). "Guidelines on Security and Privacy in Public Cloud
Computing", NIST Special Publication 800-144: p. 4-88, National Institute of Standards
and Technology, U.S. Department of Commerce.
38
Jansen, W. A. (2011). "Cloud Hooks: Security and Privacy Issues in Cloud Computing", IEEE: p.
1-10.
Jing, X. and Jian-Jun, Z (2010), "A Brief Survey on the Security Model of Cloud Computing",
IEEE Computer Society: p. 475-478.
Karabek, M. R. Dr., Kleinert, J. and Pohl, A. Dr. (2011). "Cloud Services for SMEs – Evolution or
Revolution?", Business Innovation, Quarter 1, 2011: p. 26-33.
Miller, M. (2009). “Cloud Computing: Web based applications that change the way you work and
collaborate online”. US: Que Publishing (Pearson).
Mukhin, V. and Volokyta, A. (2011). "Security Risk Analysis for Cloud Computing Systems", In
the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced
Computing Systems: Technology and Applications, 15-17th September 2011, Prague,
Czech Republic, IEEE: p. 737-742.
Ozkan, S. and Karabacak, B. (2010). “Collaborative risk method for information security
management practices: A case context within Turkey”, International Journal of
Information Management, Vol. 30: p. 567–572, Elsevier.
Peiyu, L. and Dong, L. (2011). "The New Risk Assessment Model for Information System in
Cloud Computing Environment", Procedia Engineering, Vol. 15: p. 3200-3204, Elsevier.
Qian, L., Luo, Z., Du, Y. and Guo, L. (2009). “Cloud Computing: An Overview”. Jaatun, M. G.,
Zhao, G. and Rong, C. (Eds.). LNCS 5931: p. 626–631, Berlin: Springer-Verlag.
Rittinghouse, J. W. and Ransome, J. F. (2010). "Cloud Computing: Implementation,
Management, and Security", CRC Press.
Ruan, K., Carthy, J., Kechadi, T., and Crosbie, M. (2011), "Cloud forensics: An overview",
Centre for Cybercrime Investigation, University College Dublin and IBM Ireland Ltd: p. 1-
16.
Saunders, M.N.K., Lewis, P., and Thornhill, A. (2007). “Research Methods for Business
Students”. Fourth edition. London: Prentice Hall.
39
Shortreed, J. (2008). “ISO 31000 - Risk management standard”. Institute of Risk Research,
University of Waterloo: p. 2-24.
Tai, S., Nimis, J., Lenk, A. and Klems, M. (2010). “Cloud Service Engineering”. In proceedings
of ICSE 2010, 2 May 2010 to 8 May 2010, Cape Town, South Africa, ACM: p. 475-476.
Taylor, M., Haggerty, J., Gresty, D., Lamb, D. (2011), "Forensic investigation of cloud computing
systems", Network Security, Vol. Spring 2011: p. 4-10, Elsevier.
“The Risk IT framework: principles, process details, management guidelines, and maturity
models”, ISACA, 2009: p. 7-103.
Thompson, C. B. Dr. and Walker, B. L. Dr. (1998). “Basics of Qualitative Research”. A M
Journal. Vol.17 (2): p. 64-72. Elsevier.
Tripathi, A. and Mishra, A. (2011), "Cloud Computing Security Considerations", IEEE: p. 1-5.
Zech, P. (2011). "Risk–Based Security Testing in Cloud Computing Environments", IEEE: p.
411-414.
Zhang, Q., Cheng, L. and Boutaba, R. (2010). “Cloud computing: state-of-the-art and research
challenges”. Journal of Internet Services and Applications, Vol. 1: p. 7-18. Springer.
Zhang, X., Wuwong, N., Li, H., and Zhang, X. (2010). "Information Security Risk Management
Framework for the Cloud Computing Environments", IEEE: p. 1328-1334.
40
