|
The Abstract of The Paper
|
These example risk ratings may be modified to fit in an increasing assumption of control by the cloud with agency-specific risk assessment methodologies, provider and therefore greater security risk to the cloud but in general they are consistent with the degree consumer). of direct agency control represented by each service New risk analysis methodologies should be closely model. Each cloud service model can be assessed as monitored during the compliance and performance an information service asset with unique risk ratings management process (Check phase) and modified and resultant control selection for risk mitigation (e.g., as necessary to reduce overall information security contract terms, SLA content, compliance, monitoring risk over time. In all cases, the modified risk analysis tools). methodologies and resulting risk rankings must be The relative risk ratings increase as the cloud reviewed during the management oversight process consumer moves from IaaS to PaaS and finally to (Act phase) to ensure management participation, SaaS. The service models build on one another, risk awareness, review, and acceptance of both risk resulting in cumulative risk as the cloud provider treatment options and resultant residual risks. assumes more direct control (i.e., PaaS builds on IaaS, Exhibit 6 | Service Model Risk Characteristics Service Model Risk Characteristics Relative Additional Risk The capability provided to the cloud consumer is to rent processing, storage, networks, and other fundamental computing resources and Infrastructure to deploy and run arbitrary software, which can include operating as a service systems and applications. The consumer does not manage or control Medium (IaaS) the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers). The capability provided to the consumer is to deploy consumer- created applications onto the cloud infrastructure using programming Platform as a languages and tools supported by the provider (e.g., Java, Python, Service (PaaS) .Net). The consumer does not manage or control the underlying cloud High infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations. The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure and accessible from various client devices through a thin client interface, such as a web Software as a browser (e.g., web-based e-mail). The consumer does not manage or Very High Service (SaaS) control the underlying cloud infrastructure, network, servers, operating systems, storage, or individual application capabilities, with the possible exception of limited user-specific application configuration settings. Source: Booz Allen Hamilton 8
|