A Risk Management Framework for Cloud Migration Decision Support

Abstract

first_page settings Order Article Reprints Font Type: Arial Georgia Verdana Font Size: Aa Aa Aa Line Spacing:    Column Width:    Background: Open AccessArticle A Risk Management Framework for Cloud Migration Decision Support by Shareeful Islam 1,*, Stefan Fenz 2, Edgar Weippl 2 and Haralambos Mouratidis 3 1 School of Architecture, Computing and Engineering, University of East London, London E162RD, UK 2 Secure Business Austria, Sommerpalais Harrach, Favoritenstrasse 16, 1040 Wien, Austria 3 School of Computing, Engineering, and Mathematics, University of Brighton, Brighton BN2 4GJ, UK * Author to whom correspondence should be addressed. J. Risk Financial Manag. 2017, 10(2), 10; https://doi.org/10.3390/jrfm10020010 Received: 22 February 2017 / Revised: 6 April 2017 / Accepted: 10 April 2017 / Published: 22 April 2017 (This article belongs to the Special Issue Risk Management Based on Intelligent Information Processing) Download Download PDF Download PDF with Cover Download XML Download Epub Browse Figures Versions Notes Abstract: Managing risks is of paramount importance for enabling a widespread adoption of cloud computing. Users need to understand the risks associated with the process of migrating applications and data, so that appropriate mechanisms can be taken into consideration. However, risk management in cloud computing differs from risk management in a traditional computing environment due to the unique characteristics of the cloud and the users’ dependency on the cloud service provider for risk control. This paper presents a risk management framework to support users with cloud migration decisions. In particular, the framework enables users to identify risks, based on the relative importance of the migration goals and analyzed the risks with a semi-quantitative approach. This allows users to make accurate cloud migration decisions, based on specific migration scenarios. Our framework follows basic risk management principles and proposes a novel and structured process and a well-defined method for managing risks and making migration decisions. A practical migration use case about collaborative application such as e-mail and document migration is considered to demonstrate the applicability of our work. The results from the studied context show that risks in cloud computing mainly depend on the specific migration scenario and organization context. A cloud service provider is not alone responsible for mitigating all the risks; hence, depending on the type of risk, the cloud user is also responsible for risk mitigation. Keywords: risk management framework; risk assessment; cloud migration; security; analytic hierarchy process (AHP); business value 1. IntroductionCloud computing provides many benefits for organization; specifically, cost saving, accessibility, and low maintenance overhead are well documented. There are risks associated with all aspects of cloud computing that are viewed as significant barriers for its widespread adoption [1,2]. Apart from the existing risks of computing infrastructure in general, the paradigm has new threats and risks that result from the unique characteristics of cloud computing and which need to be analyzed and controlled. The risks of the cloud, such as data leakage, lock-in, noncompliance with enterprise policies, and migration difficulties, could lead to a loss for business continuity that outweighs the expected benefits of using the cloud [3,4,5,6]. Moreover, risk varies depending on the cloud models and thus need to be addressed differently in different cases. The risk mitigation plan is also challenging even for the risks that are similar to other computing platforms and must be performed at service, data and infrastructure layers. This is because users have no control over or even any knowledge of the data once it has been migrated into the cloud infrastructure. Risk management is one of the biggest concerns in cloud computing. It can outweigh the expected potential benefits of using the cloud and critical for businesses to stay functional and competitive. However, traditional risk management approaches need customization for supporting risk assessment in the cloud due to the variation of threats, cloud models, lack of users’ control over the implementation of the risk control measures.Existing efforts in the literature, which identify and analyze the risks for the cloud-based context, mostly consider security and privacy perspectives [7,8,9]. A limited number of works considers a systematic process for assessing and managing risks and making users aware of the issues that need adequate attention before considering the adoption of a cloud service. The novel contribution of this paper is a framework that supports (i) consideration of risk management from a holistic view of business, organizational and technical perspectives; (ii) a systematic process for assessing and managing risks based on the users’ cloud migration context and relative importance of the migration goals; and (iii) supporting the users in making their cloud migration decision based on the assurance of existence risk control measures. Risk management in cloud computing is challenging comparing to traditional computing environment due to unique cloud characteristics such as multi tenancy and elasticity, which bring risks. Furthermore, risk control actions are not always under the control of the user, hence depending on the type of risks cloud service provider is also responsible for managing the risks. Our approach focuses on all these issues and contributes for assessing and managing the risks before any migration decision is taken. We consider six main migration goals—business value, organization function, confidentiality, integrity, availability and transparency—and determine the relative importance of the goals using an analytic hierarchical process based on the specific user’s organizational context. The prioritized goals are used to assess the risks using a semi-quantitative approach to determine the risk level. Risk control actions are then identified based on the risk levels. Finally, the migration decision is taken based on the assurance that the potential cloud providers offers the necessary control measures for the risks that are out of users’ control. The reason for considering the migration goals for risk management is that risk is defined as a negation of a goal. Organizations that intend to migrate their data into the cloud have certain number goals or objectives that they want to achieve with the migration decision, and risks certainly obstruct these goals. To demonstrate the applicability of our work, we consider a real migration use case from the SBA Research institute. The use case is about migrating collaborating applications which are critical for the business acceleration, improved productivity and decision making of SBA. The main goal is to evaluate the usefulness of the framework to identify the risks and to support for making the migration decision. We combine a case study method with action research, so that identified risks, controls and assurance of control measures can support SBA in making the migration decision.The paper is structured as follows: The next section provides a detailed description of related work for risk management in the cloud computing context. The subsequent section describes the framework including the conceptual view and process, followed by the evaluation section, which demonstrates the applicability of our proposed approach with a case study. The final section concludes the paper and presents directions for future work. 2. Related WorkThere are several publications that focus on risk management methods, migration decision support and on identifying risks for the cloud. This section reviews existing works in the area of risk management, security and privacy risks, which are related to our work. 2.1. Risk Management Framework and Migration Decision Support in the Cloud A risk management framework should provide a comprehensive guideline for assessing and managing the identified risks. In [4], Islam et al. propose a goal-driven approach to analyze security and privacy risks of cloud-based systems. In [7], Saripalli and Walters propose a QUIRC security risk management framework based on six central cloud-specific security criteria, i.e., confidentiality, integrity, availability, multiparty trust, mutual auditability and usability, to identify and assess the security risks. In [8], Samad et al. consider a quantitative risk model for dynamic mobile cloud environments. Risks in such systems are related to connectivity, limited resources, security, and limited power supply at the system level. In [9], Zhang et al. propose a security risk management framework for the cloud computing environment by following the ISO/IEC 27001:2005 standard. The process starts with the identification of critical areas, strategy and planning, followed by risk analysis and control. The framework is very generic and can be applied to any context. It does not provide any guidelines for determining the risk levels. There are standards such as ISO 31000:2009, which provides guideline risk management activities and considers risk management an integral part of the overall organizational processes, including strategic planning and all project and change management processes [10]. Fit’o et al. consider business level objective-driven semi-quantitative cloud risk assessment [11]. The risk level is estimated for each business level objective based on the probability of occurrence and impact. Five different risk levels are defined: critical, unacceptable, negligible, profitable and high profitable. Such an approach helps to determine profit maximization as a business level objective. However, the work is at a very early stage with a very brief description of the risk level estimation that makes it difficult to understand. Fit’o et al. in [12] also propose a Business-Driven IT Management (BDIM) model and optimization loop which aims to fulfill cloud service provider’s business strategies. It includes three different levels of BDIM and links the levels with cloud environment and policy management framework. The optimization loop mainly considers fulfillment of business level objectives by looking IT event consequences on business results.There are also works that focus on the understanding of the risks associated with the specific cloud migration scenario and demonstrate the real benefits of cloud migration decision support. Gadia presents a case study of a software development company which intended to migrate into the IaaS based solution instead of existing SaaS using cloud risk assessment [13]. There are several audit findings that provide gaps by the CSP to achieve the security objectives such as provider contract does not address the users security and privacy requirements, multi-factor authentication was missing, and sensitive data is exchange without secure a channel. ENISA analyzes three use-case scenarios, i.e., SME perspective, service resilience, and e-health, for the purpose of risk assessment [14]. The results identified a list of high level risk such as lock-in, malicious insider loss of governance, compliance challenges and isolation failure, and medium ranked risks are such as loss of business reputation, service failure, cloud provider acquisition, and supply chain failure. The risks impacts are varying depending on the type of cloud model. The security transparency framework to address the risks relating to violation of service level agreement is proposed by [15]. Microsoft proposes a cloud risk decision framework by following the overall process of ISO 31000 standard so that the right decision about the viability of cloud migration proposal can be obtained [16]. The COSO enterprise risk management for cloud computing emphasize on the higher level of inherent risk due to less direct control of enterprise assets migrated into cloud [17]. Therefore, there could be small investment for cloud migration as one of the well-known benefits but it could incur a big impact. The decision should consider the enterprise business process that the cloud could support, service and deployment model, and the nature of provider’s risks and control environment. 2.2. Risks in the CloudRisks are the potential negative consequences that could outweigh the benefits of the cloud adoption. Lemos identified five main negative aspects of cloud computing: less legal protection, hardware ownership, policy, untrustworthy machine instances and individual assumptions [18]. In a European Network and Information Security Agency report, Catteddu and Hogbun pointed out legal risks besides security and privacy risks in the cloud from an organizational perspective [19]. Similar to the traditional computing environment, attacks like man-in-the middle, cryptographic, and Trojan attacks are also potentially applicable in cloud computing [20]. There are several works that demonstrate successful attacks on cloud service provider (CSP) infrastructure. In [21], islam et al. identify the goals and risk of cloud migration. In [22], Theoharidou et al. examined the privacy risks migrating data, applications or services into the cloud by following privacy impact assessment with ten fundamental privacy principles such as accountability, clear purpose, and consent. Vimercati et al. review the privacy risks and existing solutions for managing and accessing data in the cloud [23]. The risks are related to data dissemination and sharing, external storage of data, collaborative query execution, and anonymous communication for access data and storing it into the cloud. Pearson identified several privacy risks for cloud computing for users, organizations, cloud platform implementers, and providers. In particular, the main risks are disclosure of personal information, noncompliance with enterprise policies, loss of reputation [24]. In [25], Khosravani et al. present a case study about managing the risk of cloud adoption associated with highly sensitive data on children and sexual abuse cases of a charity. The case study is evaluated through a framework that analyzes the trust and controls for mitigating the risk of cloud adoption. Khajeh-Hosseini et al. identified potential benefits and risks for migrating into the cloud in a case study of an oil and gas industry SME in the UK [26]. The results showed that there are definite cost-saving system infrastructure advantages, i.e., a 37% reduction in costs over 5 years on EC2 as well as a 21% reduction in support calls. The study concluded that despite the advantages there are socio-technical issues that must be taken into consideration for cloud migration.To summarize, all the works mentioned above justify the necessity and importance of considering risk management for cloud computing. We have identified several observations that demonstrate a number of limitations of the existing works. There is no comprehensive risk management framework that supports an organization by identifying potential risks before considering cloud adoption. Most of the risk management frameworks emphasize more on security and privacy risks rather than looking at other areas of the existing organizational context. Furthermore, there is a limited effort in the existing work to consider estimation of accurate risks level. Every organization intends to migrate into cloud certainly expects several benefits for using cloud and these benefits are the goals. Therefore, it is necessary to analyze these goals before taking any migration decision. Our work intends to fill these gaps and hence improves the existing risk management practice for the cloud computing domain. In particular, the novel contribution of our work is a risk management framework that supports the users with cloud migration decision looking at the migration goals, inherent risks and existing controls. The risks are considered from a holistic perspective of technical and non technical dimensions. The framework considers six generic migration goals and determines the net level of identified risks based on the relative importance of the migration goals. This helps user to understand as an early warning what could go wrong if the migration decision is taken place so that an informed decision can be taken for cloud migration. 3. Risk Management FrameworkThe proposed framework provides a comprehensive view of the risks to support an organization in making the cloud migration decision and balances the benefits with the potential risks. The scope of the risk management framework is to support the cloud migration decision and to monitor the risks during the operation. The framework includes risk management areas, conceptual view and a process for this purpose. 3.1. Conceptual ViewFigure 1 shows an abstract view of the risk management framework. It includes several concepts such as migration goal, migration profile, risk, control, and assurance. We follow the existing risks management approaches, cloud computing, and goal modeling language to identify these concepts. Goals are the objective and expectation to support the organization due to the cloud migration. Risks are derived from the risk management areas and migration profiles. The risks obstruct the migration goals and need appropriate assessment. We follow the semi-quantitative risk assessment approach based on the risk event likelihood, impact, and prioritized migration goals. The assessment shows which risks need to be controlled based on the organizational context and migration profile. Risks are controlled by following different control strategies such as prevention, reduction or avoidance. The cloud user needs to ensure that appropriate measures are in place for controlling the risks. Therefore, assurance is necessary to confirm that the relevant control measure is complete. The user’s migration decision depends on the results of this assurance and information within the migrated entities. If the migration decision is taken, it is necessary to monitor the evolution of key risks and development of new risks and take appropriate actions to control the evolved and new risks. The concepts are linked with each other through the activities to support tasks for the purpose of risk identification, assessment, mitigation and migration decision. The concepts are used within the task for transformation of output from input and assign different values. For instance, identify and categorize risks activity identifies the possible risk as a concept and causes as factors for the concept due to the cloud migration within the existing business context based on a specific migration profile. These risks are then assessed by using the relative importance of the migration goal and likelihood and impact properties of risk through the risk analyse and control activity. The task migration decision is triggered based on the level of completeness of assurance concept for the risk mitigation and supports an informative migration decision. Once the decision is taken, it is necessary to monitor the existing risks and identify any new risks due to the evolution of cloud platforms, changing of user needs, requirements or amendments to the CSP’s terms and conditions. The task monitor risks in operation uses monitor concept to check the net risk level before and after the migration and identify any new risk that needs adequate attention. 3.2. Risk Management ProcessThe process comprises of four sequential systematic collections of activities 2. Each of these activities has specific inputs and results in specific output artefacts. We follow the guidelines of the existing risk management standards ISO31000 and ISMS standard ISO27001:2013 to define the process [27]. A brief description of the activities is given below. Activity 1: Initialize Risk ManagementThis is the first activity, which establishes the risk management context by following the cloud migration profile and formally approves the risk management activities within the organization. This requires active involvement of the management representatives and risk manager for planning the risk management activities focusing on the migration goals. This activity includes two tasks: defining the migration profile and planning risk management. Task 1A: Define Migration ProfileThe migration profile analyzes the existing organizational context and rationalizes the migration needs. This phase identifies the migration goals, organizational strengths and weaknesses, migration type, and potential migrated assets profile. It is also necessary to identify the key operational responsibilities to support the migration activities. Goals play a key role for risk management. These goals are the benefits and expectations of the cloud migration and have a potential impact on the organization. We consider six main migration goals, as given below: Business Value (BV): This goal includes the main business gain in terms of financial profit, maintenance benefits, service delivery, business growth—specifically in new markets—and competitive advantages due to cloud migration.Organization Function (OF): The organization function goal considers key operations for successfully running the business, including internal process improvement, customer services, human resources, collaboration with internal units and business partners, business continuity and disaster recovery, and efficient IT usage and IT availability.Confidentiality (C): This goal deals with not disclosing data to unauthorized users, including cloud users, CSP-internal users, and malicious attackers. The goal also includes secure deletion and transfer of data between authorized parties to prevent the data leakage.Integrity (I): Integrity refers to the trustworthiness of the migrated resources. In particular, the data migrated into the cloud must only be modifiable by authorized users.Availability (A): Availability refers to the migrated resources, such as data or applications, being accessible when needed and the cloud service being available as per the agreement.Transparency (T): Transparency refers to the dissemination of information about access to and usage of user data, security incidents and audit reports by the cloud service provider. It also considers real-time monitoring of virtual machines and SLAs. Transparency is critical for the mutual trust between the user and the CSP. Task 1B: Plan Risk ManagementThis task initiates the implementation of risk management by determining the risk management scope, schedule and resources, risk treatment and monitoring strategy (if applicable) based on the migration profile. Risk management for the cloud entails supporting complex migration decisions; therefore, the plan should consider a proactive approach for risk control. The plan also determines the riskiness of the potential migrated project, in particular, how risky the cloud migration would be in terms of cost, schedule, risk control and business continuity. There are three levels of riskiness: high, medium and low. Generally, if an in-house application needs major amendment, employees lack the skill needed for the migration to the new technology, security controls and CSP support are poor, or the plan is to migrate highly sensitive data, the level of riskiness of the migration project could be high. There are various assets involved in the migration, and the functionalities of these assets change over time. The plan also identifies use cases/applications (if any) that are inappropriate for the cloud based on the risk levels and existing countermeasures. This helps isolate the assets involved and how they change over time to identify the vulnerabilities of the cloud environment. This activity mainly outputs the risk management plan and riskiness level of the overall migration project. Activity 2: Identify and Categorize RisksOnce the risk management context and migration profile has been defined, the next activity is to identify all possible risks that could have an impact on the cloud migration. The input for this activity is the risk management and migration context identified by the previous activity and output produced by the activity is the risks list and associated category. This activity consists of two tasks. Task 2A: Identify RisksThis task identifies all the possible risks and associated factors that could have an impact on the cloud migration project. Risk factors are the main causes of any risk, and controlling these factors is the initial concern of risk management. We need to identify as many risk factors as possible so that the organization is aware of the possible problems that could occur if the migration is undertaken. All risk factors and risk have unique name. One factor can influence more than one risk. Several techniques are employed for risk identification, such as reviewing the migration profile, criticality of the data, and interviewing the experienced organizational staff. Applications that are candidates for cloud migration, existing risk details from other projects of the organization, users’ organizational environment and technical expertise with cloud technology, and risks from literature relating to cloud migration should be taken into consideration while identifying the risks. Risks focus on the major threats to the cloud models that could hinder the achieving of the migration goals during the cloud deployment and operation of the migrated entities. Risks like loss of revenue and data leakage are common in the context of cloud attack surfaces. In the case of the cloud, risk could be exploited by a malicious application as well as internal organizational users, CSP employees, and other tenants. Task 2B: Categorize RisksThe identified risks should be categorized based on their impact on the organization’s overall business continuity and ability to fulfill its mission and day-to-day tasks. We categorize risks into three groups: business, organizational, and technical. A brief overview of given below: Business risks: These risks directly obstruct the achieving of the user’s main business goals. Business risks reduce the financial benefits and brand value and incur financial loss for the overall business continuity.Organizational risks: Such risks mainly focus on issues relating to the user’s and cloud provider’s overall organizational operational context. For instance, a cloud user organization’s employee’s inadequate experience with cloud technology and maintenance difficulties could lead to a severe business disruption while migrating and operating in the cloud. It is hard to predict and control human factors relating to human error and behaviors that pose a risk in the cloud context.Technical risks: These risks include underlying technical issues such as the cloud platform being affected by malicious code, hypervisor-level attacks, data leakage due to the multi-tenancy architecture, system malfunctions, or unauthorized transmission, which are more probable in a cloud-based context. Security and privacy issues play a critical role for the technical risks. In particular, the loss of confidentiality, integrity and availability as well as lack of transparency would certainly disrupt the business mission. Activity 3: Analyze and Control RisksRisk analysis helps creating a preliminary assessment to protect various assets and prevent certain threats from happening. This activity assesses the risks to determine the net risk value and identifies the necessary control action for mitigating the risks. Therefore, risk assessment plays a critical role in this activity. Using the full quantitative risk assessment method is challenging in the cloud computing domain due to the difficulty of obtaining precise risk probability and impact values based on historic data. It is also time consuming and costly. However, such an approach provides an accurate measurement of risk magnitude. Qualitative approach instead does not require precise values for calculating the risk probability and impact. However, such approach does not provide a precise value of risk. We follow semi-quantitative approach for determining the risk level. Hence, our goal is to provide a simple and straightforward estimation process for usable risk management. This activity consists of two tasks: Task 3A: Assess RisksOnce the risks and risk factors have been identified in the previous activity, we need to calculate the net risk value. This task calculates the net risk value based on the relative importance of the affected migration goal. We follow a semi-quantitative assessment approach for determining the net risk level. This task consists of two steps. Step 1: Relative Importance of Migration GoalsIn our case, the net risk calculation depends on the relative importance of the migration goals. We use the analytic hierarchy process (AHP) for this purpose [28]. Each goal is compared with the other goals based on its importance level within the organizational context for the cloud migration. The importance levels follow the AHP scales, i.e., 1–9 as shown in Table 1, where 1 denotes equal importance and 9 is the extreme importance of one goal compared to another. The relative importance is the weight factor of the normalized principal Eigen vector value of the migration goal. Once the importance level has been obtained, the comparison matrix CM values are normalized to identify the relative weight of each goal. The sum of the weight values should be 1. Generally, the experienced staffs of a migration project need to agree on values for the importance levels. It is necessary to check the consistency of weight values by following Equation (1) according to AHP to avoid any inconsistency of the ranking values. If the consistency rat