Risk Management on the Security Problem in Cloud Computing

Shigeaki TANIMOTO1), Manami HIRAMOTO1), Motoi IWASHITA1), Hiroyuki SATO2), Atsushi KANAI3)

1) Chiba Institute of Technology, Japan, shigeaki.tanimoto@chiba-it.ac.jp 2) The University of Tokyo, Japan, schuko@satolab.itc.u-tokyo.ac.jp

3) Hosei University, Japan, yoikana@hosei.ac.jp

Abstract—ICT systems have been investigated for flexible systems configuration, systems operation cost reduction, environmental impact reduction, etc. Cloud computing has attracted attention as technology that solves these. In the U.S., business Cloud services, such as Amazon EC2/S3, Google Apps, Force.com, and Windows Azure, are gaining more and moreusers. Additionally, study of Cloud computing, such as a governmental i-Japan strategy and a start of the smart Cloud study group of the Ministry of Internal Affairs and Communications, is progressing rapidly in Japan. However, the investigation on the present Cloud computing is mainly focused on the service side, while the security side has not been sufficiently looked at. The security perception by the social viewpoints of a user's vague uneasiness has especially been insufficiently investigated. This paper looks into the various risks when a company uses Cloud computing. That is, the security from a user’s viewpoint in Cloud computing is investigated. Concretely, the risk factor from a user’s viewpoint in such Cloud computing is comprehensively extracted with the risk breakdown structure (RBS) method. Furthermore, the risk factors that were extracted are analyzed and evaluated. A detailed countermeasure and proposal are produced on the basis of these results. These in turn will be used to promote public Cloud use, strengthen competitiveness by cost reduction, and increase the efficiency of corporate management.

Keywords- Cloud Computig; Risk Management; Risk Breakdown Structure;

I. INTRODUCTION

In recent years, Cloud computing has been thoroughly studied by the governmental i-Japan strategy [1], the smart Cloud study group of the Ministry of Internal Affairs and Communications [2], and the start of the global Cloud base cooperation technical forum [3]. Moreover, various major companies have started Cloud services, among themAmazon EC2/S3 [4], Google Apps [5], Force.com [6], and Windows Azure [7]. Generally, although Cloud services such as SaaS, PaaS, and IaaS have been investigated enough, Cloud security has not [8]. Therefore, users anxiety about the safety of Cloud computing is reasonable. For example, the operation management of a user's system can be entrusted toa provider in a public Cloud. However, a user may not understand a provider's detailed operation management method. Generally, in the Cloud environment, operation is managed by using virtual technology as the base in many cases in the multi-tenant form in which two or more users share the system environment. In this case, security problems

exist, such as whether separate customers’ data can be separated securely and how to protect this data from third parties [9]-[10]. According to one survey in Japan, about 70 percent of respondents mentioned insecure security as a reason they were wary of Cloud computing [11]. Thus, with the subject of the security in Cloud computing, it seems that the users’ perceptions are as strong as the technical factor [12].

This paper analyzes risks of utilizing Cloud computing based on these backgrounds. That is, the risks arecomprehensively extracted from a user’s viewpoint to Cloud computing by using the risk breakdown structure (RBS)method, a typical risk-analysis method. Furthermore, it isanalyzed and evaluated, and a detailed countermeasure and proposal are performed. Accordingly, more companies will be willing to use Cloud, which will contribute to strengthening competitiveness and reducing operating costs.

II. SECURITY ISSUE IN CLOUD COMPUTING

Cloud computing security has not been sufficientlyinvestigated, although Cloud computing service has. In particular, since the typical technical element of Cloud computing is virtual technology, insecurity arises from a user not fully understanding the actual conditions. Thus, in Cloud computing, investigating the users’ perceptions of security is becoming as important as the investigating quality of service.Below, the main subjects of security based on the social viewpoint in Cloud computing are described.

A. Existence of Two or More StakeholdersGenerally, various services are distributed and provided

in the Cloud environment. Thus, to use a service, identity information must be shown. In this case, the criteria are needed to determine the importance of various kinds ofidentity information. For example, in the case of the identity information that is not secure, only unimportant services can be provided. On the other hand, receiving more important information or services requires more detailed identity information. However, these issues have been underinvestigated.

B. Security Guarantee in Disclosure EnvironmentUsers generally do not understand at all about how

information is managed in the Cloud environment. Until now, studies from a viewpoint of availability have done about storing the information in Cloud computing. However, the security of critical information represented by personal information (text information, a photograph, etc.) has not

2011 First ACIS/JNU International Conference on Computers, Networks, Systems, and Industrial Engineering

978-0-7695-4417-5/11 $26.00 © 2011 IEEE

DOI 10.1109/CNSI.2011.82

147

2011 First ACIS/JNU International Conference on Computers, Networks, Systems, and Industrial Engineering

978-0-7695-4417-5/11 $26.00 © 2011 IEEE

DOI 10.1109/CNSI.2011.82

147

been investigated yet. That is, risks have not been fully discussed.

C. Mission Critical Data ProblemBecause they do not fully trust Cloud services’ security,

users have been reluctant to entrust Clouds with mission critical data. Thus, company employees build private Clouds.However, to do this takes a lot of money and requiresspecialist knowledge. Therefore, it is desirable that users' insecurity be assuaged so they can confidently store mission critical data by using Cloud computing.

This paper extracts the risk factor of above security perceptions in Cloud computing, details countermeasures,and proposes a risk management system.

III. EXTRACTION AND ANALYSIS OF RISK FACTOR TO SECURITY PERCEPTION PROBLEM

A. Extraction of Risk FactorHere, the risk analysis of security problems was carried

out. This risk analysis referred to the security risk results of an investigation about Cloud computing [13], a security evaluation benchmark [14], the security guideline by Cloud Security Alliance (CSA) [15], etc. Specifically, the risk factor was systematically extracted using Risk Breakdown Structure (RBS) which is the typical risk-analysis method of the project management method. This results are shown in Table 1.

TABLE I. RISK FACTOR EXTRACTION RESULT OF SECURITY PERCEPTION PROBLEM BY RBSLevel 1: Major

divisionLevel 2: Middle

division Level 3: Risks

1. Risks forCompany Introducing Cloud Computing

1.1 System

1.1.1 Problem of Cooperation with Existing System

1.1.2 Problem of Removing Data when Finishing Use of Cloud Service

1.1.3 Problem of Unique Specification of Service Provider

1.1.4 Problem with Supervisor of Service Provider

1.1.5 Problem of Service Provider Leaking, Altering, and Wrongly Using Data

1.1.6 Problem of Data Being Deleted After Cloud Service Use

1.2 Operation

1.2.1 Problem of Regulatory Non-compliance by Service Provider

1.2.2 Problem of Service Provider Limiting Information Disclosure

1.2.3 Problem of Requirements for Authentication

1.2.4 Problem of Managing Confidential Information

1.2.5 Bad Influence when Data of Other Company Using the Same Service are Seized

1.3 Facility 1.3.1 Problem of Environmental Impact, Such as Carbon-dioxide Emissions

2. Risks for Cloud Service Provider

2.1 System

2.1.1 Problem of Difference between Work Important Matter of Use Company and Cloud Service Provider Specification

2.1.2 Problem of Unrestorable Specifications when Data Disappears

2.1.3 Problem of Insufficient Access Privilege Management

2.2 Operation

2.2.1 Problem whether to Fill Service Level Agreement or Not

2.2.2 Crisis of Continuation of Service Caused by Bankruptcy, Overspending, etc.

2.2.3 Problem when Business Continuous Plan is Nonexistent or Insufficient

2.2.4 Problem when Security Management Organization not Fixed

2.2.5 Problem of Data Leaking or Disappearing due to Operation Mistake

2.2.6 Problem to Compliance with Internal Control, Security Audit, Etc.

3. Others3.1 Operation 3.1.1 Restriction by Revision of Law

3.2 Facility 3.2.1 Disaster Destroying Data Center

148148

B. Risk AnalysisThe risk-analysis method is based on Decision Tree

Analysis, and the method of depending on a risk matrix are typical. The former is quantitive, and the latter is qualitative. In this paper, the qualitative risk matrix method is used to deal with user security.

As shown in Fig. 1, the risk matrix method classifies risks into four kinds (Risk Avoidance, Risk Mitigation, Risk Acceptance, and Risk Transference) in accordance with the generation frequency and degree of incidence, and these correspond with the following plans.

Risks are classified in accordance with the degree of incidence and generation frequency. Countermeasures corresponding to each are as follows.

(3) Risk Transference

(1) Risk Avoidance

(4) Risk Acceptance

(2) Risk Mitigation

(3) Risk Transference

(1) Risk Avoidance

(4) Risk Acceptance

(2) Risk Mitigation

Generation FrequencyLow High

Deg

ree

of In

cide

nce

Low

Hig

h

(1)Risk Avoidance: A risk is avoided and alternatives are shown.

(2)Risk Mitigation: Decrease to the level at which risk can be accepted.

(3)Risk Transference: Transfer a risk to a 3rd party.

(4)Risk Acceptance: Accept a risk unconditionally.

Figure 1. Risk Matrix Method

Level 1 1. Risks for Company Introducing Cloud Computing

Level 2 1.2 Operation

Risks 1.2.1 Problem of Regulatory Non-compliance by Service Provider

Classification of Risk Countermeasure

Details of a Risk Event

If the Cloud Service provider violates personal information protection law, the responsibility of a use company will also be demanded.

Cause

The company using the Cloud cannot check whether the Cloud service provider side has observed compliance.

Countermeasure

The company gets a third party to judge whether its compliance criteria are satisfied in before a contract.

Level 1 1. Risks for Company Introducing Cloud Computing

Level 2 1.2 Operation

Risks 1.2.1 Problem of Regulatory Non-compliance by Service Provider

Classification of Risk Countermeasure

Details of a Risk Event

If the Cloud Service provider violates personal information protection law, the responsibility of a use company will also be demanded.

Cause

The company using the Cloud cannot check whether the Cloud service provider side has observed compliance.

Countermeasure

The company gets a third party to judge whether its compliance criteria are satisfied in before a contract.

As shown in the above figure, hatching parts are risk countermeasures most suitable for the risk event.

Introductory notes:(3) Risk

Transference(1) Risk

Avoidance

(4) Risk Acceptance

(2) Risk Mitigation

(3) Risk Transference

(1) Risk Avoidance

(4) Risk Acceptance

(2) Risk Mitigation

Generation FrequencyLow High

Deg

ree

of In

cide

nce

Low

Hig

h

Figure 2. Example of Risk-analysis Result

Figure 2 shows how the risk matrix method analyzes arisk. As shown in this figure, it analyzes the details of risk 1.2.1, its causes, and a countermeasure. The results are given in Table 2.

TABLE II. RISK COUNTERMEASURE RESULT

Level 3: Risks Countermeasures

1.1.1 Cooperation with Existing System Risk Avoidance

1.1.2 Problem of Removing Data Risk Transference

1.1.3 Problem of Unique Specification Risk Avoidance

1.1.4 Problem with Supervisor of SP Risk Transference

1.1.5 Problem of SP Leaking Data Risk Transference

1.1.6 Problem of Data Deletion Risk Mitigation

1.2.1 Regulatory Non-compliance Risk Transference

1.2.2 Problem of Information Disclosure Risk Mitigation

1.2.3 Requirements for Authentication Risk Mitigation

1.2.4 Management of Confidential Data Risk Mitigation

1.2.5 Adverse Effects when Data of Other Company Using the Same Service are Seized Risk Transference

1.3.1 Problem of Environmental Impacts Risk Acceptance

2.1.1 Difference of Specification Risk Avoidance

2.1.2 Unrestorable Specification when Data Disappears Risk Acceptance

2.1.3 Access Privilege Management Risk Mitigation

2.2.1 Problem whether to Fill Service Level Agreement or Not Risk Transference

2.2.2 Crisis of Continuation of Service Risk Transference

2.2.3 Business Continuous Plan Nonexistent Risk Transference

2.2.4 Security Management not Fixed Risk Transference

2.2.5 Problem of Data Leakage Risk Transference

2.2.6 Internal Control, Security Audit, Etc. Risk Acceptance

3.1.1 Restriction by Revision of Law Risk Acceptance

3.2.1 Effect of Data Center Destruction Risk Transference

IV. RISK MANAGEMENT TO SECURITY PERCEPTION PROBLEM

Figure 3 summarizes the analysis results in Table 2. This section details the risk management proposals for eachclassification: Risk Transference, Risk Mitigation, Risk Acceptance, and Risk Avoidance.

149149

Num

ber o

f Ris

k ev

ent

Figure 3. Risk-analysis Result

A. Risk TransferenceTable 3 lists the risks, countermeasures against Risk

Transference, and their classifications. Since the problemstend to come from the Cloud service provider, risks are most commonly transferred. The countermeasures against Risk Transference are the surveillance by a third party and the guarantee by a service provider.

B. Risk MitigationTable 4 lists the risks, countermeasures against Risk

Mitigation, and their classifications. Risks classified into Risk Mitigation tend to involve regulatory compliance of the Cloud service provider, specification, authentication, etc. It was classified into whether specification with the Cloud service provider is adjusted, or it devises according to the specification of the Cloud service provider as a countermeasures against these risks.

C. Risk AcceptanceTable 5 lists the risks, countermeasures against Risk

Acceptance, and their classifications. Risks here tend to be based on external factors, such as a laws. Since these countermeasures are indirect things that depend on external factors, such as laws, they are whether it devises in the constraint, or to accept in that condition.

D. Risk Avoidance Table 6 lists the risks, countermeasures against Risk

Avoidance, and their classifications. The risks here tend to be caused by different specifications of the Cloud service provider and users. These countermeasure methods are classified into two: the cases where the user needs to be adjusted or the countermeasure from the Cloud service provider is required. That is, a drastic and difficultcountermeasure is needed.

TABLE III. COUNTERMEASURES AGAINST RISK TRANSFERENCE AND THEIR CLASSIFICATION RESULTS

Level 3: Risks Countermeasures Classification

1.1.2 Problem of Removing Data after Using Cloud Service

The surveillance of data movement is requested of a third party. Cloud service provider is requested to move data. 1) Third party surveillance

1.1.4 Problem with Supervisor of Service Provider

A supervisor is requested of a third party. The insurance of a sake when mistakes are made is prepared. 1) Third party surveillance

1.1.5 Problem of Service ProviderLeaking, Altering, and Wrongly Using Data

When contract is signed with the Cloud service provider, compensation forunauthorized use is specified.

2) Service Provider Guarantee

1.2.1 Problem Regulatory Non-compliance by Service Provider

Before contracting, a third party is asked to see if the Cloud service complies with relevant regulations. 1) Third party surveillance

1.2.5 Adverse Effects when Data of Other Company Using the Same Service are Seized

Distributed storage of the data is performed and data are stored. Or data is backed up.

2) Service Provider Guarantee

2.2.1 Problem of whether to Fill SLA A third party checks whether the Cloud service content fills SLA and supervises any filling. 1) Third party surveillance

2.2.2 Crisis of Continuation of Service Caused by Bankruptcy, Overspending, Etc.

Supposing the Cloud service provider goes bankrupt, the user insures itslife so that it is not damaged. Moreover, two or more Cloud services are used tospread risk.

2) Service Provider Guarantee

2.2.3 Problem when Business Continuous Plan is Nonexistent or Insufficient

Insurance is applied when Cloud service is no longer provided. 2) Service Provider Guarantee

2.2.4 Problem when Security Management Organization Not Fixed

A user contracts with provider who has manages security sufficiently. Or when using the Cloud service, use of data is limited to the data that seldom needs a security management.

2) Service Provider Guarantee

2.2.5 Problem of Data Leaking or Disappearing due to Operation Mistake

A user insures itself in case of an operation mistake of the Cloud service provider.

2) Service Provider Guarantee

3.2.1 Effect of Data Center Destruction Data are backed up at other data centers. 2) Service Provider

Guarantee

150150

TABLE IV. COUNTERMEASURES AGAINST RISK MITIGATION AND THEIR CLASSIFICATION RESULTS

Level 3: Risks Countermeasure against Risk Management Classification

1.1.6 Problem of Data Deletion After Cloud Service Use

Even when data cannot be deleted, the form of data is devised so that it may be uninfluential. For example, it devises encrypting data etc.

2) Combine with the Cloud service specifications.

1.2.2 Problem of Service Provider Limiting Information Disclosure

The specifications of the Cloud service are decided in advance so that they can be inspected.

1) Cloud service provideradjusts the specification.

1.2.3 Problem of Requirements for Authentication Cloud service uses unique authentication. 2) Combine with the Cloud

service specifications.

1.2.4 Problem of ManagingConfidential Information

Even if confidential information suddenly passes into the possession of unauthorized personnel, it cannot be read immediately.

2) Combine with the Cloud service specifications.

2.1.3 Problem when AccessPrivilege Management is Insufficient

The Cloud service provider that has the best access privilege management is chosen.

1) Cloud service provider adjusts the specification.

TABLE V. COUNTERMEASURES AGAINST RISK ACCEPTANCE AND THEIR CLASSIFICATION RESULTS

Level 3: Risks Countermeasure against Risk Management Classification

1.3.1 Problem of Environmental Impact, Such as Carbon-dioxide Emissions

The original responsibility for an environmental impact is accepted. Others

2.1.2 Problem of Unrestorable Specifications when Data Disappears

A user devises performing duplex-ization of data so that it may not be troubled, even if data disappears etc. Others

2.2.6 Problem of Compliancewith Internal Control, Security Audit, Etc.

The effects on an internal control, security audit, etc. are accepted. Others

3.1.1 Restriction by Revision of Law The Cloud service that can respond flexibly each time is chosen. Others

TABLE VI. COUNTERMEASURES AGAINST RISK AVOIDANCE AND THEIR CLASSIFICATION RESULTS

Level 3: Risks Countermeasure against Risk Management Classification

1.1.1 Problem of Cooperation with Existing System

When cooperation with an existing system is impossible, you have to install a new system. Moreover, do not introduce Cloud computing into systemswith which it cannot cooperate.

1) Users' adjustment

1.1.3 Problem of Unique Specification of Service Provider

When you choose the Cloud service provider, do not choose service with low compatibility.

2) Choice of the Cloud service provider

2.1.1 Problem of Difference between Work Important Matter of Use Company and Cloud Service Provider Specification

Other methods are used when Cloud computing does not satisfy a work important matter. 1) Users' adjustment

E. Conclusion of Risk Management Analysis Result(1) Risk Transference: This has many risks caused by the

Cloud service provider.

(2) Risk Mitigation: This has many risks that come withusing Cloud services, such as compliance, specification, and authentication.

(3) Risk Acceptance: This is characterized by indirect risks based on external factors, such as laws.

(4) Risk Avoidance: This is characterized by risks based on different specifications used by the Cloud service provider and the user.

151151

As mentioned above, the main results are as follows. The event classified into Risk Transference has the effective countermeasures which build insurance original with the Cloud service provider. With the event classified into Risk Mitigation, users' specification mitigation, adaptation of the specification corresponding to the Cloud service provider, etc. are considered to be effective as countermeasures.

V. CONCLUSION

This paper analyzed Cloud computing security problems in detail on the basis of the risk breakdown structure (RBS)method and the risk matrix method. Furthermore, countermeasures were individually developed to satisfy extracted risks. That is, it is expected that the Cloud service provider can remove users' vague insecurity by the countermeasures proposed in this paper.

We will evaluate the effectiveness of the proposedcountermeasures quantitatively in the future. Accordingly, we will aim to improve objectivity and develop these ideas into specific proposals.

REFERENCES

[1] Prime Minister's official residence: i-Japan strategy 2015, (in Japanese), http://www.kantei.go.jp/jp/singi/it2/kongo/digital/dai9/9siryou2.pdf

[2] Ministry of Internal Affairs and Communications : "Smart Cloud study group", (in Japanese), http://www.soumu.go.jp/menu_news/s-news/02ryutsu05_000004.html

[3] Ministry of Internal Affairs and Communications : global Cloud base cooperation technical forum, (in Japanese), http://www.gictf.jp/

[4] Amazon Elastic Compute Cloud (Amazon EC2), http://aws.amazon.com/ec2/#pricing

[5] Google Apps , http://www.google.com/a/help/intl/ja/admins/customers.html

[6] Force.com, http://www.salesforce.com/jp/platform/[7] Windows Azure, http://msdn.microsoft.com/ja-

jp/azure/cc994380.aspx[8] Naohiko Uramoto, Security and compliance in Cloud computing,

IPSJ, Vol.50, No.11,pp1099-1105, Nov. 2009, (in Japanese)[9] Nomura Research Institute, IT load map 2010 edition,2009, (in

Japanese)

[10] T. Matsumoto, Cloud computing :What is the subject on security?, IPA, 2009, (in Japanese), http://www.ipa.go.jp/about/news/event/ipax2009/pdf/IPAX2009_security_matsumoto.pdf

[11] Manabi-ing, The 2nd Cloud computing opinion poll, (in Japanese), http://cloud.manabing.jp/cloud-news/ing7048.html

[12] H.Sato,et al., A Cloud Trust Model in a Security Aware Cloud, SAINT2010, pp.121-124

[13] Gartner: Seven Cloud-computing Security Risks(2008).http://www.infoworld.com/d/security-central/gartner-seven-cioud-computing-security-risks-853

[14] Information security management for the use of cloud computing services based on ISO/IEC 27002, search.e-gov.go.jp/servlet/PcmFileDownload?seqNo=0000069865

[15] Yuji Yamanobe, the security evaluation benchmark of Cloud computing, (in Japanese), http://ynb.seiiku.net/emrui/1012cloudsecurity.pdf

[16] Cloud Security Alliance , Security Guidance for Critical Areas of Focus in Cloud Computing - UPDATED February 14, 2011, http://www.cloudsecurityalliance.org/guidance.html

152152