Title :
Pattern-based and ISO 27001 compliant risk analysis for cloud systems
Author :
Alebrahim, Azadeh ; Hatebur, Denis ; Goeke, Ludger
Author_Institution :
Paluno - The Ruhr Inst. for Software Technol., Univ. of Duisburg-Essen, Essen, Germany
Abstract :
For accepting clouds and using cloud services by companies, security plays a decisive role. For cloud providers, one way to obtain customers´ confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, we present a structured and pattern-based method to conduct risk analysis for cloud computing systems. It is tailored to SMEs. Our method addresses the requirements of the ISO 27001. We make use of the cloud system analysis pattern, security requirement patterns, threat patterns, and control patterns for conducting the risk analysis. The method is illustrated by a cloud logistics application example.
Keywords :
ISO standards; cloud computing; risk analysis; security of data; ISO 27001 compliant risk analysis; ISO 27001 standard; SME; cloud computing systems; cloud logistics application; cloud providers; cloud services; cloud system analysis pattern; control patterns; customer confidence; information security; pattern-based method; security mechanisms; security requirement patterns; threat patterns; ISO standards; Organizations; Risk analysis; Security; Servers;
Conference_Titel :
Evolving Security and Privacy Requirements Engineering (ESPRE), 2014 IEEE 1st Workshop on
Conference_Location :
Karlskrona
DOI :
10.1109/ESPRE.2014.6890527
