Migration Goals and Risk Management in Cloud Computing

Shareeful Islam, Stefan Fenz, Edgar Weippl, Christos Kalloniatis
2016 International Journal of Secure Software Engineering  
Organizations are now seriously considering adopting cloud into the existing business context, but migrating data, application and services into cloud doesn't come without substantial risks. These risks are the significant barriers for the wider cloud adoption. There are works that consolidate the existing work on cloud migration and technology. However, there is no secondary study that consolidates the state of the art research and existing practice on risk management in cloud computing. It
more » ... es difficult to understand the risks management trend, maturity, and research gaps. This paper investigates the state of the art research and practices relating to risk management in cloud computing and discusses survey results on migration goals and risks. The survey participants are practitioners from both public and private organizations of two different locations, i.e., UK and Malaysia. The authors identify and classify the relevant literature and systematically compare the existing works and survey results. The results show that most of the existing works do not consider the existing organization and business context for the risk assessment. The authors' study results also reveal that risk management in cloud computing research and practice is still not in a mature stage but gradually advancing. Finally, they propose a risk assessment approach and determine the relative importance of the migration goals from two real migration use cases. 46 critical and one of the main barriers of wider cloud adoption. There are works from both research and industry communities relating to risks and risk management practice for cloud computing. However, there is no study that identifies, analyzes and compares these works. Such study is necessary to identify the trend of research, research gap and future directions so that risk management can effectively support organizations with their cloud adoption. The review aims to answer the three research questions given in Table 1 . We combine systematic literature review with social commentary as relevant methods for performing this study. Systemic literature review identifies the literature from the research database. Social commentary is the state of the practice follows blogs, industry presentation, CSP websites and white papers. Cloud computing already obtained a huge attention from the industry community; therefore, we believe relevant literature will be available for the purpose of this study. Step 2: Conducting This second step mainly concerns with the final selection of the studies for the review by the step 3. Our aim is to identify literature that deals with the risks, risks management framework in cloud computing. It is important to select the relevant sources for performing a SLR. Therefore, we consider the preliminary keywords, i.e., risk management framework in cloud, risks (security, privacy, business, legal, and organization), and cloud areas for this study. We use search engines from the following five sites: Google Scholar, Elsevier, IEEE Xplore, ACM Digital Library and Science Direct to extract the literature. Our effort relating to social commentary is to identify the practitioners' view relating to the cloud risks and existing industry practice to mitigate these risks. We follow white papers and technical report from well-known CSP and tech websites for this purpose. The papers and industry related articles were mostly selected that were published from 2008 because the research domain is recent and rapidly changing. Initial, we have identified 52 papers from the sites and 36 items from the industry related sources. After reviewing title and abstract, we observed that most of the works consider security and privacy risks and very few on the business risks in cloud. The final selection is carefully considered based on our inclusion and exclusion criteria as shown in Table 2 . The inclusion criteria emphasize on coverage of the area, timeliness of solution, and overall quality. In particular, literatures are selected if they cover the identified areas from the well-known sites. Finally, we have selected a total of 32 academic publications and 10 items of practitioners' views for this review. Step 3: documenting This is the final step of our review. The selected papers were split into five main categories based on main focus of this review, i.e., risk management framework, risks and controls in cloud based system, security risks, privacy risks, and case study. Table 3 shows the main areas that take into consideration of individual category. Table 4 summarizes the papers based on the category. The review of the selected articles, research trend and future directions are presented in the following sections. ANALySIS oF THE STUdIES This section reviews the selected papers and articles from the previous sections for the state of the are review. Risk Management Framework Managing risks is a challenging task for the wider cloud adaption. This section includes work that considers critical cloud areas, risks management process and techniques from both academic and industry communities. Prasad and Ben (2010) propose a QUIRC security risk management framework based on six key cloud specific security criteria, i.e., confidentiality, integrity, availability, multiparty trust, mutual auditability and usability to identify and assess the security risks. Risks assessment considers fully quantitative assessment method by involvement Subject Matter Experts for providing
doi:10.4018/ijsse.2016070103 fatcat:gerqit7vdjcplkc5wci5a3bbba