Conducting Risk Assessment : Cloud Provider Perspective
Eskelinen, Jonna-Janita (2016)
Eskelinen, Jonna-Janita
Metropolia Ammattikorkeakoulu
2016
All rights reserved
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2016110615780
https://urn.fi/URN:NBN:fi:amk-2016110615780
Tiivistelmä
The goal of this Master’s Thesis was to study the risks a cloud service provider should be prepared to meet and perform a risk assessment for the case company’s proof of concept cloud where they act as the service provider. Due to security reasons, the study concentrates on the risk assessment process instead of the specific results, but the results are discussed on high level in order to evaluate the suitability of the selected methods for the cloud.
This thesis was done in two parts. First the previous research on cloud security risks was studied and then the actual risk assessment done. Most of the previous research was made from the viewpoint of the cloud user instead of a provider, but in this study the reports are analysed to determine which of the risks apply also to the cloud provider. The risk assessment performed in this study was qualitative and the framework from the ISO/IEC 27005:2011 standard. STRIDE was selected as the threat modelling method. As a secondary plan for identifying the threats and vulnerabilities, a questionnaire with industry best practices was prepared.
Two workshops were held with the case company during the risk assessment process. The first one concentrated on identifying the risks and the second on rating the risks. In the end STRIDE threat modelling was found to be challenging in a cloud environment and the secondary plan of identifying deviations from the industry best practises provided better results. Performing the risk assessment during the proof of concept phase limited the tools and data available, but the results were found to be valuable as a preparation for the production environment.
Based on the risk assessment findings, the effect of the selected methods on the results were evaluated, a comparison of different threat modelling methods is presented here together with recommendations for future risk assessments.
This thesis was done in two parts. First the previous research on cloud security risks was studied and then the actual risk assessment done. Most of the previous research was made from the viewpoint of the cloud user instead of a provider, but in this study the reports are analysed to determine which of the risks apply also to the cloud provider. The risk assessment performed in this study was qualitative and the framework from the ISO/IEC 27005:2011 standard. STRIDE was selected as the threat modelling method. As a secondary plan for identifying the threats and vulnerabilities, a questionnaire with industry best practices was prepared.
Two workshops were held with the case company during the risk assessment process. The first one concentrated on identifying the risks and the second on rating the risks. In the end STRIDE threat modelling was found to be challenging in a cloud environment and the secondary plan of identifying deviations from the industry best practises provided better results. Performing the risk assessment during the proof of concept phase limited the tools and data available, but the results were found to be valuable as a preparation for the production environment.
Based on the risk assessment findings, the effect of the selected methods on the results were evaluated, a comparison of different threat modelling methods is presented here together with recommendations for future risk assessments.