In [13] a security risk assessment method has beenintroduced based on an Analytic Hierarchy Process (AHP) model. The assessment iscarried out using the principles of: decomposition, pairwise comparison, and synthesisof weights. Thus, AHP has three layers of decomposition: formulating the problem ofassessing cloud security risk in a hierarchical structure is the first step in AHP. Then,in level two, 8 major factors were identified for assessing. In level three, 39 factorswere identified corresponding to higher levels and specific local conditions. Theevaluation module uses the constructed AHP tree to assess the system with the help ofthe judgment matrix that is filled by the cloud’s experts. Finally calculating theweighted vectors and getting the final risk order. In [14], a hierarchical framework is built to analyze the risk and set the goal for theassessment. After that, an indicator system is built under each principle and sub indicatorsare introduced for assessment. For example, the first indicator could berisk of cloud computing platform, risk of cloud storage, risk of cloud security and soon. Secondary indicators of cloud platform risk could then be risk of operatingsystem, risk of application software and risk of availability.
E. Risk assessment trust matrix
In [15], Trust Matrix is used for security risk analysisin cloud environments. Two variables, namely “data cost” and “provider’s history”are considered. In “data cost” users can assign a cost to data based on the data’scriticality whereas “Provider’s history” includes the record of the past servicesprovided by the provider to consumers. Additionally, Cloud Control Matrix (CCM) has been released by CSA, as a baseline security control framework designedto help enterprises assess the risks associated with a cloud provider. The CCM has included a risk management domain to ensurethat formal risk assessments are aligned with the enterprise-wide framework, plannedand scheduled at regular intervals determining the likelihood and impact of identifiedrisks, using qualitative and quantitative methods. Thereby, it facilities transparencyand increase trust level between the cloud customer and the cloud in order to makecloud a secure environment to the future of business [16].
F. A quantitative risk assessment
In [5], a quantitative risk and impact assessment framework (QUIRC) is introduced to assess associated six key categories of security objectives (SO) (i.e., confidentiality, integrity, availability, multi- party trust, mutual audit ability and usability) in a cloud computing platform. The impact is determined by Subject Matter Experts, the knowledgeable about the impact of threats on their particular type of business
G. A qualitative risk assessment
The European Network and Information Security Agency (ENISA) [6] has published a guide that allow an informed assessment of the security risks and benefits of using cloud computing. For the purposes of the risk assessment, a medium-sized company was used as a use case and the aim was to expose all possible information security risks. The risks identified in the assessment are classified into three categories: technical, legal and policy and organizational issues. Each risk is presented in a table which includes probability level, impact level, reference to vulnerabilities, reference to affected assets and level of risk. The estimation of risk levels is based on ISO/IEC 27005.
H. Synthesis
After reviewing the literature, several risk assessment methodologies and frameworks have been reviewed and suggested. The risk assessment methods have been classified into five categories: assessment as a service, quantitative and qualitative, hierarchal, graph analysis and security matrix assessment. In addition to the risk assessment methods that have been reviewed, the CSA and ENISA lead a number of ongoing research initiatives (security guidance, CCM and STAR). Despite all these methodologies and initiatives, currently no complete and concise methodology exists for analyzing and evaluating security risks of cloud based solutions.A cloud-specific threats, vulnerabilities and risks have already been identified or assessed by numerous sources, but it still remains unclear how to assess risks basing on Information Risk Management frameworks or methods in the context of the Cloud. Thus, the adoption of cloud solutions in a number of industries is stopped. Most of the studies view the problem of assessing security risks either from cloud customer or cloud provider perspectives. The need for a comprehensive, shared, collaborative and intelligent risk assessment methodology that considers both customer and provider is recommended. Such as shared assessment enables the cloud provider to prove how the security risks have been managed and mitigated, as well as enabling the cloud consumer to determine the risk tolerance and define security requirements accordingly.The risk assessment in cloud computing environment will be more efficient and more autonomous by using the intelligent expert agents in our architecture makes.
...(download the rest of the essay above)