2011 First ACIS/JNU International Conference on Computers, Networks, Systems, and Industrial Engineering

Risk Management on the Security Problem in Cloud Computing

Shigeaki TANIMOTO1), Manami HIRAMOTO1), Motoi IWASHITA1), Hiroyuki SATO2), Atsushi KANAI3)
1) Chiba Institute of Technology, Japan, shigeaki.tanimoto@chiba-it.ac.jp 2) The University of Tokyo, Japan, schuko@satolab.itc.u-tokyo.ac.jp 3) Hosei University, Japan, yoikana@hosei.ac.jp

AbstractICT systems have been investigated for flexible systems configuration, systems operation cost reduction, environmental impact reduction, etc. Cloud computing has attracted attention as technology that solves these. In the U.S., business Cloud services, such as Amazon EC2/S3, Google Apps, Force.com, and Windows Azure, are gaining more and more users. Additionally, study of Cloud computing, such as a governmental i-Japan strategy and a start of the smart Cloud study group of the Ministry of Internal Affairs and Communications, is progressing rapidly in Japan. However, the investigation on the present Cloud computing is mainly focused on the service side, while the security side has not been sufficiently looked at. The security perception by the social viewpoints of a user's vague uneasiness has especially been insufficiently investigated. This paper looks into the various risks when a company uses Cloud computing. That is, the security from a users viewpoint in Cloud computing is investigated. Concretely, the risk factor from a users viewpoint in such Cloud computing is comprehensively extracted with the risk breakdown structure (RBS) method. Furthermore, the risk factors that were extracted are analyzed and evaluated. A detailed countermeasure and proposal are produced on the basis of these results. These in turn will be used to promote public Cloud use, strengthen competitiveness by cost reduction, and increase the efficiency of corporate management. Keywords- Cloud Computig; Risk Management; Risk Breakdown Structure;

exist, such as whether separate customers data can be separated securely and how to protect this data from third parties [9]-[10]. According to one survey in Japan, about 70 percent of respondents mentioned insecure security as a reason they were wary of Cloud computing [11]. Thus, with the subject of the security in Cloud computing, it seems that the users perceptions are as strong as the technical factor [12]. This paper analyzes risks of utilizing Cloud computing based on these backgrounds. That is, the risks are comprehensively extracted from a users viewpoint to Cloud computing by using the risk breakdown structure (RBS) method, a typical risk-analysis method. Furthermore, it is analyzed and evaluated, and a detailed countermeasure and proposal are performed. Accordingly, more companies will be willing to use Cloud, which will contribute to strengthening competitiveness and reducing operating costs. II. SECURITY ISSUE IN CLOUD COMPUTING

Cloud computing security has not been sufficiently investigated, although Cloud computing service has. In particular, since the typical technical element of Cloud computing is virtual technology, insecurity arises from a user not fully understanding the actual conditions. Thus, in Cloud computing, investigating the users perceptions of security is becoming as important as the investigating quality of service. Below, the main subjects of security based on the social viewpoint in Cloud computing are described. A. Existence of Two or More Stakeholders Generally, various services are distributed and provided in the Cloud environment. Thus, to use a service, identity information must be shown. In this case, the criteria are needed to determine the importance of various kinds of identity information. For example, in the case of the identity information that is not secure, only unimportant services can be provided. On the other hand, receiving more important information or services requires more detailed identity information. However, these issues have been underinvestigated. B. Security Guarantee in Disclosure Environment Users generally do not understand at all about how information is managed in the Cloud environment. Until now, studies from a viewpoint of availability have done about storing the information in Cloud computing. However, the security of critical information represented by personal information (text information, a photograph, etc.) has not

I.

INTRODUCTION

In recent years, Cloud computing has been thoroughly studied by the governmental i-Japan strategy [1], the smart Cloud study group of the Ministry of Internal Affairs and Communications [2], and the start of the global Cloud base cooperation technical forum [3]. Moreover, various major companies have started Cloud services, among them Amazon EC2/S3 [4], Google Apps [5], Force.com [6], and Windows Azure [7]. Generally, although Cloud services such as SaaS, PaaS, and IaaS have been investigated enough, Cloud security has not [8]. Therefore, users anxiety about the safety of Cloud computing is reasonable. For example, the operation management of a user's system can be entrusted to a provider in a public Cloud. However, a user may not understand a provider's detailed operation management method. Generally, in the Cloud environment, operation is managed by using virtual technology as the base in many cases in the multi-tenant form in which two or more users share the system environment. In this case, security problems

978-0-7695-4417-5/11 $26.00 2011 IEEE DOI 10.1109/CNSI.2011.82

147

been investigated yet. That is, risks have not been fully discussed. C. Mission Critical Data Problem Because they do not fully trust Cloud services security, users have been reluctant to entrust Clouds with mission critical data. Thus, company employees build private Clouds. However, to do this takes a lot of money and requires specialist knowledge. Therefore, it is desirable that users' insecurity be assuaged so they can confidently store mission critical data by using Cloud computing. This paper extracts the risk factor of above security perceptions in Cloud computing, details countermeasures, and proposes a risk management system.
Level 1: Major division

III.

EXTRACTION AND ANALYSIS OF RISK FACTOR TO SECURITY PERCEPTION PROBLEM

A. Extraction of Risk Factor Here, the risk analysis of security problems was carried out. This risk analysis referred to the security risk results of an investigation about Cloud computing [13], a security evaluation benchmark [14], the security guideline by Cloud Security Alliance (CSA) [15], etc. Specifically, the risk factor was systematically extracted using Risk Breakdown Structure (RBS) which is the typical risk-analysis method of the project management method. This results are shown in Table 1.

TABLE I. RISK FACTOR EXTRACTION RESULT OF SECURITY PERCEPTION PROBLEM BY RBS Level 2: Middle Level 3: Risks division 1.1.1 Problem of Cooperation with Existing System 1.1.2 Problem of Removing Data when Finishing Use of Cloud Service 1.1.3 Problem of Unique Specification of Service Provider 1.1 System 1.1.4 Problem with Supervisor of Service Provider 1.1.5 Problem of Service Provider Leaking, Altering, and Wrongly Using Data

1. Risks for Company Introducing Cloud Computing

1.1.6 Problem of Data Being Deleted After Cloud Service Use 1.2.1 Problem of Regulatory Non-compliance by Service Provider 1.2.2 Problem of Service Provider Limiting Information Disclosure 1.2 Operation 1.2.3 Problem of Requirements for Authentication 1.2.4 Problem of Managing Confidential Information 1.2.5 Bad Influence when Data of Other Company Using the Same Service are Seized 1.3 Facility 1.3.1 Problem of Environmental Impact, Such as Carbon-dioxide Emissions 2.1.1 Problem of Difference between Work Important Matter of Use Company and Cloud Service Provider Specification 2.1 System 2.1.2 Problem of Unrestorable Specifications when Data Disappears 2.1.3 Problem of Insufficient Access Privilege Management 2.2.1 Problem whether to Fill Service Level Agreement or Not

2. Risks for Cloud Service Provider 2.2 Operation

2.2.2 Crisis of Continuation of Service Caused by Bankruptcy, Overspending, etc. 2.2.3 Problem when Business Continuous Plan is Nonexistent or Insufficient 2.2.4 Problem when Security Management Organization not Fixed 2.2.5 Problem of Data Leaking or Disappearing due to Operation Mistake 2.2.6 Problem to Compliance with Internal Control, Security Audit, Etc. 3.1 Operation 3.1.1 Restriction by Revision of Law 3.2.1 Disaster Destroying Data Center

3. Others 3.2 Facility

148

B. Risk Analysis The risk-analysis method is based on Decision Tree Analysis, and the method of depending on a risk matrix are typical. The former is quantitive, and the latter is qualitative. In this paper, the qualitative risk matrix method is used to deal with user security. As shown in Fig. 1, the risk matrix method classifies risks into four kinds (Risk Avoidance, Risk Mitigation, Risk Acceptance, and Risk Transference) in accordance with the generation frequency and degree of incidence, and these correspond with the following plans.
Low Degree of Incidence High

TABLE II.

RISK COUNTERMEASURE RESULT Countermeasures Risk Avoidance Risk Transference Risk Avoidance Risk Transference Risk Transference Risk Mitigation Risk Transference Risk Mitigation Risk Mitigation Risk Mitigation Risk Transference Risk Acceptance Risk Avoidance Risk Acceptance Risk Mitigation Risk Transference Risk Transference Risk Transference Risk Transference Risk Transference Risk Acceptance Risk Acceptance Risk Transference

Level 3: Risks 1.1.1 Cooperation with Existing System 1.1.2 Problem of Removing Data 1.1.3 Problem of Unique Specification 1.1.4 Problem with Supervisor of SP 1.1.5 Problem of SP Leaking Data 1.1.6 Problem of Data Deletion 1.2.1 Regulatory Non-compliance 1.2.2 Problem of Information Disclosure 1.2.3 Requirements for Authentication 1.2.4 Management of Confidential Data 1.2.5 Adverse Effects when Data of Other Company Using the Same Service are Seized 1.3.1 Problem of Environmental Impacts

(3) Risk Transference

(1) Risk Avoidance

Risks are classified in accordance with the degree of incidence and generation frequency. Countermeasures corresponding to each are as follows. (1)Risk Avoidance: A risk is avoided and alternatives are shown. (2)Risk Mitigation: Decrease to the level at which risk can be accepted. (3)Risk Transference: Transfer a risk to a 3rd party. (4)Risk Acceptance: Accept a risk unconditionally.

(4) Risk Acceptance

(2) Risk Mitigation

Low

Generation Frequency

High

Figure 1. Risk Matrix Method

Level 1 Level 2 Risks

1. Risks for Company Introducing Cloud Computing 1.2 Operation 1.2.1 Problem of Regulatory Non-compliance by Service Provider Classification of Risk Countermeasure

2.1.1 Difference of Specification 2.1.2 Unrestorable Specification when Data Disappears 2.1.3 Access Privilege Management 2.2.1 Problem whether to Fill Service Level Agreement or Not

Low Degree of Incidence High

(3) Risk Transference

(1) Risk Avoidance

Introductory notes:

2.2.2 Crisis of Continuation of Service 2.2.3 Business Continuous Plan Nonexistent

(4) Risk Acceptance

(2) Risk Mitigation

As shown in the above figure, hatching parts are risk countermeasures most suitable for the risk event.

2.2.4 Security Management not Fixed 2.2.5 Problem of Data Leakage 2.2.6 Internal Control, Security Audit, Etc. 3.1.1 Restriction by Revision of Law 3.2.1 Effect of Data Center Destruction

Low

Generation Frequency

High

Details of a Risk Event If the Cloud Service provider violates personal information protection law, the responsibility of a use company will also be demanded. Cause The company using the Cloud cannot check whether the Cloud service provider side has observed compliance. Countermeasure The company gets a third party to judge whether its compliance criteria are satisfied in before a contract.

IV.

RISK MANAGEMENT TO SECURITY PERCEPTION PROBLEM

Figure 2. Example of Risk-analysis Result

Figure 3 summarizes the analysis results in Table 2. This section details the risk management proposals for each classification: Risk Transference, Risk Mitigation, Risk Acceptance, and Risk Avoidance.

Figure 2 shows how the risk matrix method analyzes a risk. As shown in this figure, it analyzes the details of risk 1.2.1, its causes, and a countermeasure. The results are given in Table 2.

149

Number of Risk event

B. Risk Mitigation Table 4 lists the risks, countermeasures against Risk Mitigation, and their classifications. Risks classified into Risk Mitigation tend to involve regulatory compliance of the Cloud service provider, specification, authentication, etc. It was classified into whether specification with the Cloud service provider is adjusted, or it devises according to the specification of the Cloud service provider as a countermeasures against these risks. C. Risk Acceptance Table 5 lists the risks, countermeasures against Risk Acceptance, and their classifications. Risks here tend to be based on external factors, such as a laws. Since these countermeasures are indirect things that depend on external factors, such as laws, they are whether it devises in the constraint, or to accept in that condition. D. Risk Avoidance Table 6 lists the risks, countermeasures against Risk Avoidance, and their classifications. The risks here tend to be caused by different specifications of the Cloud service provider and users. These countermeasure methods are classified into two: the cases where the user needs to be adjusted or the countermeasure from the Cloud service provider is required. That is, a drastic and difficult countermeasure is needed.

Figure 3. Risk-analysis Result

A. Risk Transference Table 3 lists the risks, countermeasures against Risk Transference, and their classifications. Since the problems tend to come from the Cloud service provider, risks are most commonly transferred. The countermeasures against Risk Transference are the surveillance by a third party and the guarantee by a service provider.

TABLE III. Level 3: Risks

COUNTERMEASURES AGAINST RISK TRANSFERENCE AND THEIR CLASSIFICATION RESULTS Countermeasures The surveillance of data movement is requested of a third party. Cloud service provider is requested to move data. A supervisor is requested of a third party. The insurance of a sake when mistakes are made is prepared. When contract is signed with the Cloud service provider, compensation for unauthorized use is specified. Before contracting, a third party is asked to see if the Cloud service complies with relevant regulations. Distributed storage of the data is performed and data are stored. Or data is backed up. A third party checks whether the Cloud service content fills SLA and supervises any filling. Supposing the Cloud service provider goes bankrupt, the user insures itslife so that it is not damaged. Moreover, two or more Cloud services are used to spread risk. Insurance is applied when Cloud service is no longer provided. A user contracts with provider who has manages security sufficiently. Or when using the Cloud service, use of data is limited to the data that seldom needs a security management. A user insures itself in case of an operation mistake of the Cloud service provider. Data are backed up at other data centers. Classification 1) Third party surveillance 1) Third party surveillance 2) Service Provider Guarantee 1) Third party surveillance 2) Service Provider Guarantee 1) Third party surveillance 2) Service Provider Guarantee 2) Service Provider Guarantee 2) Service Provider Guarantee 2) Service Provider Guarantee 2) Service Provider Guarantee

1.1.2 Problem of Removing Data after Using Cloud Service 1.1.4 Problem with Supervisor of Service Provider 1.1.5 Problem of Service Provider Leaking, Altering, and Wrongly Using Data 1.2.1 Problem Regulatory Noncompliance by Service Provider 1.2.5 Adverse Effects when Data of Other Company Using the Same Service are Seized 2.2.1 Problem of whether to Fill SLA 2.2.2 Crisis of Continuation of Service Caused by Bankruptcy, Overspending, Etc. 2.2.3 Problem when Business Continuous Plan is Nonexistent or Insufficient 2.2.4 Problem when Security Management Organization Not Fixed 2.2.5 Problem of Data Leaking or Disappearing due to Operation Mistake 3.2.1 Effect of Data Center Destruction

150

TABLE IV. Level 3: Risks 1.1.6 Problem of Data Deletion After Cloud Service Use 1.2.2 Problem of Service Provider Limiting Information Disclosure 1.2.3 Problem of Requirements for Authentication 1.2.4 Problem of Managing Confidential Information 2.1.3 Problem when Access Privilege Management is Insufficient TABLE V. Level 3: Risks 1.3.1 Problem of Environmental Impact, Such as Carbon-dioxide Emissions 2.1.2 Problem of Unrestorable Specifications when Data Disappears 2.2.6 Problem of Compliance with Internal Control, Security Audit, Etc. 3.1.1 Restriction by Revision of Law

COUNTERMEASURES AGAINST RISK MITIGATION AND THEIR CLASSIFICATION RESULTS Countermeasure against Risk Management Even when data cannot be deleted, the form of data is devised so that it may be uninfluential. For example, it devises encrypting data etc. The specifications of the Cloud service are decided in advance so that they can be inspected. Cloud service uses unique authentication. Even if confidential information suddenly passes into the possession of unauthorized personnel, it cannot be read immediately. The Cloud service provider that has the best access privilege management is chosen. Classification 2) Combine with the Cloud service specifications. 1) Cloud service provider adjusts the specification. 2) Combine with the Cloud service specifications. 2) Combine with the Cloud service specifications. 1) Cloud service provider adjusts the specification.

COUNTERMEASURES AGAINST RISK ACCEPTANCE AND THEIR CLASSIFICATION RESULTS Countermeasure against Risk Management Classification

The original responsibility for an environmental impact is accepted. A user devises performing duplex-ization of data so that it may not be troubled, even if data disappears etc. The effects on an internal control, security audit, etc. are accepted.

Others

Others

Others

The Cloud service that can respond flexibly each time is chosen.

Others

TABLE VI. Level 3: Risks 1.1.1 Problem of Cooperation with Existing System 1.1.3 Problem of Unique Specification of Service Provider 2.1.1 Problem of Difference between Work Important Matter of Use Company and Cloud Service Provider Specification

COUNTERMEASURES AGAINST RISK AVOIDANCE AND THEIR CLASSIFICATION RESULTS Countermeasure against Risk Management When cooperation with an existing system is impossible, you have to install a new system. Moreover, do not introduce Cloud computing into systems with which it cannot cooperate. When you choose the Cloud service provider, do not choose service with low compatibility. Other methods are used when Cloud computing does not satisfy a work important matter. Classification

1) Users' adjustment 2) Choice of the Cloud service provider

1) Users' adjustment

E. Conclusion of Risk Management Analysis Result (1) Risk Transference: This has many risks caused by the Cloud service provider. (2) Risk Mitigation: This has many risks that come with using Cloud services, such as compliance, specification, and authentication.
151

(3) Risk Acceptance: This is characterized by indirect risks based on external factors, such as laws. (4) Risk Avoidance: This is characterized by risks based on different specifications used by the Cloud service provider and the user.

As mentioned above, the main results are as follows. The event classified into Risk Transference has the effective countermeasures which build insurance original with the Cloud service provider. With the event classified into Risk Mitigation, users' specification mitigation, adaptation of the specification corresponding to the Cloud service provider, etc. are considered to be effective as countermeasures. V. CONCLUSION

This paper analyzed Cloud computing security problems in detail on the basis of the risk breakdown structure (RBS) method and the risk matrix method. Furthermore, countermeasures were individually developed to satisfy extracted risks. That is, it is expected that the Cloud service provider can remove users' vague insecurity by the countermeasures proposed in this paper. We will evaluate the effectiveness of the proposed countermeasures quantitatively in the future. Accordingly, we will aim to improve objectivity and develop these ideas into specific proposals. REFERENCES
[1] Prime Minister's official residence: i-Japan strategy 2015, (in Japanese), http://www.kantei.go.jp/jp/singi/it2/kongo/digital/dai9/9siryou2.pdf Ministry of Internal Affairs and Communications : "Smart Cloud study group", (in Japanese), http://www.soumu.go.jp/menu_news/snews/02ryutsu05_000004.html Ministry of Internal Affairs and Communications : global Cloud base cooperation technical forum, (in Japanese), http://www.gictf.jp/ Amazon Elastic Compute Cloud (Amazon EC2), http://aws.amazon.com/ec2/#pricing Google Apps , http://www.google.com/a/help/intl/ja/admins/customers.html Force.com, http://www.salesforce.com/jp/platform/ Windows Azure, http://msdn.microsoft.com/jajp/azure/cc994380.aspx Naohiko Uramoto, Security and compliance in Cloud computing, IPSJ, Vol.50, No.11,pp1099-1105, Nov. 2009, (in Japanese) Nomura Research Institute, IT load map 2010 edition,2009, (in Japanese)

[10] T. Matsumoto, Cloud computing :What is the subject on security?, IPA, 2009, (in Japanese), http://www.ipa.go.jp/about/news/event/ipax2009/pdf/IPAX2009_secu rity_matsumoto.pdf [11] Manabi-ing, The 2nd Cloud computing opinion poll, (in Japanese), http://cloud.manabing.jp/cloud-news/ing7048.html [12] H.Sato,et al., A Cloud Trust Model in a Security Aware Cloud, SAINT2010, pp.121-124 [13] Gartner: Seven Cloud-computing Security Risks(2008).http://www.infoworld.com/d/security-central/gartnerseven-cioud-computing-security-risks-853 [14] Information security management for the use of cloud computing services based on ISO/IEC 27002, search.egov.go.jp/servlet/PcmFileDownload?seqNo=0000069865 [15] Yuji Yamanobe, the security evaluation benchmark of Cloud computing, (in Japanese), http://ynb.seiiku.net/emrui/1012cloudsecurity.pdf [16] Cloud Security Alliance , Security Guidance for Critical Areas of Focus in Cloud Computing - UPDATED February 14, 2011, http://www.cloudsecurityalliance.org/guidance.html

[2]

[3] [4] [5] [6] [7] [8] [9]

152