Research Proposal
A study of NIST SP 800-144 standard on IT risk management in cloud computing: Creating a novel framework for implementing it in Small and Medium sized Enterprises (SMEs) by applying COSO and ISACA’s Risk IT frameworks
Sandeep Kaur Sidhu
Student ID – 110075823
Master of Science (Computer & Information Science)
University of South Australia
Proposal submitted to the University of South Australia
School of Information Technology &Computer Sciences
In partial fulfilment of the
requirements for the degree of
Master of Science (Computer & Information Science)
Supervisor: Dr Kim-Kwang Raymond Choo
Date: June 2013
Abstract
Cloud computing is a new form of service-oriented computing in which, clients are offered software applications, platforms, infrastructure, databases, and security as services. Currently, there are unclear regulations and models about how cloud computing vendors should undertake IT security and risk management accountabilities. NIST SP 800-144 is the first standard by a regulatory body on cloud computing security but it needs to be supported by other standards and empirical theories. The synergised form of NIST SP 800-144 with COSO and Risk IT has been proposed for SMEs to manage their own IT risks amidst limited expectations from cloud service providers, and uncertainty of applicable regulations. The three standards can be used with an assumption that not everything is in control of even large-scale enterprises but they still manage their risks. The similar philosophy of certain internal practices in uncertain external environment can be applied by SMEs as well. The findings reveal how SMEs can plan their cloud hosting ambitions, how can they define their own standards and expectations, how can they select multiple clouds, and how can they build their own controls by using multiple cloud service providers, investing some additional sums.
Table of Contents
Table of Figures: 4
Chapter 1: Introduction 5
1.1. Background and context 5
1.2. Research motivation 8
1.3. Research aim and objectives 10
1.4. Research questions 10
1.5. Contribution to the Research 11
Chapter 2: Literature review 12
2.1. Introduction 12
2.2. Empirical review of IT risk management 12
2.3. IT risk management frameworks 14
2.4. Empirical review of cloud computing 18
2.5. Security risks and IT risk management in cloud computing 20
2.6. A review of NIST 800-144 framework 24
2.7. Summary 25
Chapter 3: Research Methodology 26
3.1. Philosophy, approach, and methodology 26
3.2. Research methods 27
3.3. Sampling 29
3.4. Data collection 30
3.5. Data analysis 31
3.6. Ethical considerations 31
3.7. Summary 31
Chapter 4: Research significance and expectations 33
4.1 Research Plan & Schedule. 34
4.2. Provisional Thesis Table of Contents 34
References 36
Table of Figures:
Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4) 7
Figure 2: An example integrated model of risk management framework in cloud computing based on COSO framework (Horwath et al. (2012: p. 9) 8
Figure 3: An overview of Risk IT Framework (ISACA, 2009, p. 33) 15
Figure 4: COSO Risk Management Framework (COSO, 2004, p. 2) 17
Figure 5: The multi-level service oriented architecture in the cloud computing (Zhang, Cheng, and Boutaba, 2009: p. 10) 19
Figure 6: Research Plan………………………………………………………………………34
Chapter 1: Introduction
1.1. Background and context
This research is related to IT risk management challenges in cloud computing and the practical implementation of NIST SP 800-144 standard specifically designed for risk management in the clouds. Cloud computing has emerged as a new concept of commodity services in the world of computing, storage, broadband network access, platform services, and software services (Doherty, Carcary, and Conway, 2012: p. 2). Cloud computing vendors, like Google, Microsoft, and Amazon offer rapid provisioning of on-demand self-operating services with minimal intervention by the service provider (Clemons and Chen, 2010: p. 3). These benefits are mostly availed by small and medium scale enterprises given their lack of capital funding for establishing expensive self-hosted IT infrastructures (Miller, 2009: p. 9-10).
Cloud computing offers many business benefits to customers, especially in saving operating costs, managing IT enabled businesses with minimum administrative overheads, and getting access to world class software platforms and applications managed by their original manufacturers (Doherty, Carcary, and Conway, 2012: p. 2). However, cloud computing has multiple IT risks due to shared platforms, data confidentiality and privacy in user areas protected by virtual boundaries, identity thefts, privacy issues, vendor or data lock-in, loss of governance, loss of compliance, insider trading, and shared network and software vulnerabilities (Doherty, Carcary, and Conway, 2012: p. 3-4; ENISA, 2010: p. 5-6). Given that the cloud computing systems are multi-vendor and multi-tenant, a standard legally-enforceable risk management framework incorporating all service providers and tenants is the key challenge (ENISA, 2010: p. 3).
Risks in cloud computing arise due to shared services, cross-border litigation, data location, inter-cloud compatibility issues, lack of legal support for consumers, trust issues on service providers, IT security risks, consumer issues, privacy issues, data segregation issues, and data proliferation issues (Chandran and Agnepat, 2010: p. 3-5 Clemons and Chen, 2010: p. 5-7; Fan and Chen, 2012: p. 23-24; Jansen, 2011: 2-4; Sabahi, 2011: p. 245-247).
Fan and Chen (2012: p. 20-21) proposed that there should be an integrated risk management standard incorporating regulators, service providers, and customers. This standard should take care of cross-border litigation issues and data location uncertainty, as well. A model for analysing risks at component levels of multiple layers of cloud computing needs to be established and agreed among all parties based on their priorities and impacts. This can be done by applying globally accepted standards like COSO, Risk IT (COBIT 5), and ISO 27005. For example, Ahmad and Janczewski (2010: p. 4) presented a triangulated model of cloud computing security employing integration of globally accepted security standards, statutory laws, and cloud services (Figure 1). In this model, the cloud service provider can choose any standard or set of standards for implementing risk management as long as they are integrated with the statutory laws and regulations applicable on the services offered. Hence, if Sarbanes Oxley 2002 regulators recognise ISO 27005 for self hosted IT infrastructures, cloud computing service providers can adopt ISO 27005 and customise it for implementing an effective IT risk management framework covering each component on the cloud such that they can demonstrate compliance to Sarbanes Oxley regulations.
Figure 1: A triangulated model of cloud security (Ahmad and Janczewski, 2010: p. 4)
Horwath et al. (2012: p. 8-9) presented an example scenario (Figure 2) of how such an integrated model can be implemented using COSO (Committee of Sponsoring Organizations of the Treadway Commission) risk management framework. They integrated the candidates offering cloud solutions, service delivery models, deployment models, business processes, and regulatory governance requirements in a single risk management framework based on COSO standard. They recommended that the COSO enterprise risk management framework can be used to define, establish, and continuously improve an audit checklist used by regulators. Once standardised enforced, all cloud services and solutions providers will implement controls in accordance to the standard and incorporate terms in agreements with specific roles of cloud tenants and service providers.
Figure 2: An example integrated model of risk management framework in cloud computing based on COSO framework (Horwath et al. (2012: p. 9)
1.2. Research Motivation
The problem is that there is a need of standardised risk management framework for cloud computing framework accepted globally for regulatory compliance. Cloud Security Alliance recommended standard methods for risk management on cloud computing (IET, 2012: p. 3). However, these recommendations have not been standardised by regulation authorities. Mostly, regulation authorities prefer ISO 27005, ISO 27001, ISO 27002, and COBIT standards for demonstrating regulatory compliance of IT security and risk management (IET, 2012: p. 5-6). Cloud service providers need to find ways for using these standards for IT risk management. A new ISO standard (ISO 27017) is emerging for cloud computing risk management that is expected to be ratified in year 2014. It may be the preferred choice of regulators, but till then there is a serious lack of internationally accepted standards fit for regulatory compliance of security and risk management of cloud service providers (Rittinghouse and Ransome, 2010: p. 158-159). This problem poses a serious business risk for SMEs given that they have most prominent reasons to adopt cloud computing services and are rapidly moving their IT systems to the clouds (Dai, 2009: p. 56; Haselmann and Vossen, 2011: p. 10; Jansen and Grance, 2011: p. 21; Karabek, Kleinert, and Pohl, 2011: p. 28).
NIST SP 800-144 is the first US regulatory standard for implementing risk management in the clouds (Jansen and Grance, 2011). This standard is released in year 2011 but is not yet adequately supported by implementation procedures such that cloud providers can adopt a standardised framework for managing cloud risks. This standard needs exploratory study such that it can be mapped with other established risk management standards used for IT risk management. The above problem description and this challenge have been taken as the research problem. The researcher intends to explore NIST SP 800-144 standard and map it with COSO and ISACA’s Risk IT standards such that an appropriate risk management framework for SMEs using cloud computing can be proposed.
1.3. Research aim and objectives
With reference to the above established background and context, and the research problem, following research aim is defined for this research:
Aim: To explore NIST SP 800-144, COSO, and Risk IT standards and the existing theories complimenting their recommendations, and propose an IT risk management framework for SMEs using cloud computing to run their businesses. In absence of established standards proposed by regulators, this research will aim on how SMEs can protect themselves from IT risks while using cloud hosted resources.
The aim is supported by the following research objectives:
(a) To study the IT risk exposures of businesses using cloud computing resources
(b) To explore NIST SP 800-144, COSO, and Risk IT standards and the existing theories complimenting their recommendations
(c) To analyse how these standards can help the SMEs, dependent upon cloud hosted resources for running their businesses, in managing IT risks
1.4. Research questions
This research is directed by the aim and objectives proposed above for finding answers to the following research questions:
(a) What are the IT risk exposures of businesses that use cloud hosted resources for running their business processes?
(b) How NIST SP 800-144 standard could be supported by COSO and Risk IT standards and the existing theories complimenting their recommendations?
(c) How can NIST SP 800-144, COSO, and Risk IT standards help SMEs dependent upon cloud hosted resources in managing their IT risks?
These questions will be answered through exploratory studies of literatures on cloud computing security and risk management and stated standard documents.
1.5. Contribution of this research
The NIST SP 800-144 standard cannot serve the purpose of creating and implementing security policies and procedures on cloud computing. It definitely has some firm guidelines but they need to be augmented by practical research studies and outcomes. In this research, the researcher has identified and reviewed the literatures presenting recommendations on controls useful for augmenting with the recommendations of this standard. This research presents a consolidated view of such controls and presents an actionable framework that can be tested and adopted in real world environments or used for further research.
Chapter 2: Literature review
2.1. Introduction
Cloud computing is a new framework for delivering IT services to customers connecting to its various layers through Internet. It has gained significant popularity in recent years due to lowered capital expenses and affordable revenue expenses offered to cloud tenants. However, the threats and uncertainties looming on cloud computing are wider due to shared infrastructures, virtual tenant boundaries, and spreading of data across multiple locations beyond territorial jurisdiction due to virtualised storage systems networked using virtual networking. These challenges have caused privacy and trust issues leading to reluctance by many business entities and public sector organisations in adopting cloud services. Looking into these challenges, NIST has released a standard SP 800-144 for managing risks on cloud computing. Given that it is a new standard, there are no academic references on practical implementation of SP 800-144 in organisations. The research is proposed to combine SP 800-144 with two popular risk management frameworks, ISACA’s Risk IT and COSO, to design an actionable risk management framework for Small and Medium scale enterprises using cloud hosting for their IT services needs. The resulting framework will be validated by interviewing risk management practitioners.
2.2. Empirical review of IT risk management
Risk management in IT is concerned with protection of IT assets such that the negative impacts on business due to loss, unauthorised modifications, or unavailability of an IT asset can be minimised or eliminated completely (Humphreys, Moses, Plate, 1998: p. 11). IT assets comprise of information units (business-related documents and records), and the assets used for creating, processing, disseminating, storing, transmitting, and archiving the information units (Humphreys, Moses, Plate, 1998: p. 11). IT assets are exposed to numerous threats emanating from the Internet or internal hackers (Elgarnal, 2009: p. 12). These threats can compromise the confidentiality, integrity, and availability of IT assets leading to financial, legal, reputational, customer, and employee impacts to the organisation (Dhillon and Backhouse, 2000: p. 126; Humphreys, Moses, Plate, 1998: 9). Identification, assessing, and management of IT risks are needed to reduce or eliminate the vulnerabilities such that the external threats do not compromise the IT assets and their confidentiality, integrity, and availability (Anderson and Choobineh, 2008: p. 24; Humphreys, Moses, Plate, 1998: 14; Ozkan and Karabacak, 2010: p. 568).
The risk identification, assessment, and management framework comprises quantitative evaluation of influencing factors and assigning values to them (Ozkan and Karabacak, 2010: p. 572; Humphreys, Moses, Plate, 1998: 22). They key values of concern are importance of assets to the business, most relevant threats, magnitude of impacts on business, probability of impacts, and internal vulnerabilities prevailing in the IT systems of the organisation (Gandotra, Singhal, and Bedi, 2009: p. 720-721; Humphreys, Moses, Plate, 1998: 24-25; Ozkan and Karabacak, 2010: p. 570). The risk value is a quantitative outcome of asset value (a function of confidentiality, integrity, and availability ratings), threat value (product of probability value and impact value), and vulnerability value (probability of breach) (Gandotra, Singhal, and Bedi, 2009: p. 722; Humphreys, Moses, Plate, 1998: 25). Finally, all risks are logged in an enterprise-wide risk register and assigned to individual risk managers for invoking risk treatment by avoiding, accepting, transferring, or eliminating the risks (Shortreed, 2008: p. 10-11).