IT security risk assessment methods developed from IT/IS security frameworks and industry best practices across the world are used to assure confidence in organisation protection mechanisms. Organisations have been utilizing these methods to effectively implement traditional IT systems (Azeemi et al., 2013). However, with the emergence of Cloud Computing there is a lack of an established common methods of assessing security risk for IT systems implemented in the cloud (Drissi et al., 2013).
With IT departments coming under increased pressure to quickly adopt cloud computing in order for their organisations to benefit from potential cost savings, increased flexibility and business agility, it is becoming familiar for organisations to overlook formal security risk assessment procedures. (CITE)This is often due to the fact that organisations often have limited resources to conduct these assessments, or some form of assessment has been conducted by 3rd party vendors or consultancies or risk assessment is given low priory within the organisation (Dahbur et al., 2011). Furthermore, the current security risk assessment methods used in cloud projects are perceived by organisations to be too generalist, complicated and restrictive, an unwelcome feature in the dynamic operating environment of cloud computing (Latif et al., 2014).
One of the solutions proposed to the problem of no formal security risk assessment for Cloud is a complete rethink around how traditional security risk assessment methods are applied in cloud computing. There have been suggestions for more structure and rigour, tooling and for security risk assessment to become autonomic (Djemame et al., 2011, Zhang et al., 2010). The notion of security risk assessment as a service has also been proposed in recent studies (Theoharidou et al., 2013).
Security risk assessment in cloud implementation projects is an area that has received limited research attention, mainly due to problems stemming from sample sizes, lack of organisation resources to support such research, and the inherent uniqueness of SMEs (Hunter 2004). However, this area can no longer be ignored, as nearly x% of all businesses are currently undertaking or contemplating migrating their legacy systems into cloud(CITE).
This research investigates the current state of formalised security risk assessment for Cloud and how these methods could be modified for migrating legacy systems into Cloud. A mixture of traditional IS and recent Cybersecurity risk assessment approaches will be investigated, with the goal of establishing that a combination of these methods that can lead to improved assurance and confidence in the case legacy system cloud migration. The appreciation of this method by the organisation and practitioners involved in this research is to be investigated. As organisations remain hesitant over security concerns about migrating their business critical legacy systems into the cloud, a security risk assessment method that can help boost confidence could prove advantageous to them.
The research will be conducted using an action research methodology, with the aim of bringing about change in the organisation, improving the situation with the help of the participants. The research will achieve this goal by attempting to answer the following research question:
Research Question 1: To what extent, can combinations of traditional IS security and recent cybersecurity risk assessment approaches improve assurance in the case of legacy system cloud migration projects?
It is hypothesised that combining traditional IS security risk assessment methods with procedures from recent cybersecurity risk methodologies will result in a modified risk assessment method that can boost assurance and confidence in legacy system cloud migration projects. In order to test this research question a toolset of appropriate resources and procedures will be developed. This will facilitate the effectiveness of the proposed method to be examined in a conceptual form. Consequently this raises two secondary research questions:
Research Question 2: What resources and procedures will need to be included in a toolset, combining methods to assess the primary research question?
Research Question 3: What are the results of implementing the modified security risk assessment toolset in the case of migrating legacy systems into Cloud?
The secondary research questions are aimed at determining the possibility of producing a toolset to test the concept of Research Question 1, and whether this combination of traditional IS security and recent cybersecurity risk assessment methods can improve assurance and confidence in legacy system cloud migration projects.
The emergence of new computing environments has traditionally challenged IT practitioners to reposition their business critical systems in order to take advantage of projected benefits such as cost savings and flexibility in addition to maintaining their operability and effectiveness. Consequently, in the transition of computing environments from mainframe to server to Service-Oriented Architectures (SOA).and to Cloud, legacy IT system migration remains a critical point of concern.
Cloud Migration is the wholly or partial deployment of an organisation’s, assets, IT services, applications and infrastructure into the Cloud. Cloud migration has been compared to migration to Service-Oriented Architectures(SOA) in several studies in an attempt to draw parallels in terms of processes and techniques. One notable difference between the two computing environments however is the marked dissimilarity between security requirements. Fundamentally, SOA is utilised to expose IT services within the organisation and its partners. Cloud on the other hand, is used for exposing IT services to customers. Generally, security is highly understated for SOA migration and highly overstated in the case of Cloud migration (Jamshidi et al., 2013). These security requirements in the case of Cloud ultimately influence and determine the type of deployment model for migrating legacy IT systems. The importance of the unique security requirements for migration of legacy IT systems to Cloud establishes it as a subject for research interest in its own right.
The proposed research is concerned with exploring the methods used to assess cloud security risk and possible linkage between organisations attaining higher levels of confidence in their approach to migrating legacy systems into Cloud. Much of the current literature appears to be exploratory in nature in approaching the security risk aspects of cloud migration. Recent studies generally acknowledge that security concerns pose the highest uncertainty to business and are the leading barriers to migrating legacy systems to cloud environments (Rosado et al., 2012). The same study attempts to rationalise these concerns by arguing that the primary concern is loss of control of security to third party providers as cloud computing does not specifically introduce new issues in existing IT security policies. However, each new third party provider or subcontractor within a cloud deployment model invariably introduces a new single point of failure through its dependency (Armbrust et al., 2010) a case which can be expected to be more pronounced in the case of legacy systems in Cloud.
(Rai et al., 2013) captured a broader view of the cloud migration challenges categorizing them into Business and Technical factors, identifying data security and security architecture issues in both categories. These factors confirm the security concerns captured in others studies in a more granular manner. (Rosado et al., 2012) also argues that Cloud Migration despite the security concerns offers businesses the opportunity to re-architect existing applications and infrastructure with improved level of security to meet present and future needs. On the contrary, approaches to migration process do not consider security or security aspects providing no guarantee that security features of the legacy systems are successfully migrated (Rosado et al., 2012, Rai et al., 2015). Therefore decision support to address migration of business services into Cloud needs to adequately consider security perspectives in order to ensure the significance of security in cloud migration process(Rosado et al., 2012).
Within academia, several frameworks have been proposed to address security concerns within the cloud migration process. (Rai et al., 2015)proposed a secure cloud migration framework to promote systematic and trustworthy migration to cloud. (Zhao et al., 2010) suggested Reference Deployment Models proposed to address user security concerns by using specific architecture for deployment of systems to Cloud. (Yu et al., 2011), also made recommendations on basic procedure for cloudification of legacy applications. (Tariq et al., 2014) put forward the Requirements Engineering process for SaaS applications. SaaS applications, a delivery model for cloud-based systems are fundamentally different from traditional on-premise applications and as such give rise to entirely new requirements in terms of aspects of security. The common shortcoming observed with these approaches is their failure to effectively combine risk and security aspects in determining the overall approach in migrating to cloud computing services (Walterbusch et al., 2013).
In practice, most cloud migration projects are driven or managed either through software vendors, Cloud Providers or IT Consultancies. With no standard guidelines or decision support tools for businesses to assess risks and determine migration approach, these third parties provide marketing-based whitepapers (PricewaterhouseCoopers, 2012) and conceptual frameworks(IBM, 2010) as alternatives. These substitutes have been found by researchers to be widely unproven and tend to be based on proprietary technologies(Khajeh-Hosseini et al., 2011).
Non-profit, professional and governmental agencies concerned with safeguarding information security have also responded to the emergence of Cloud Computing by producing guidelines for best practice. The Cloud Security Alliance(CSA) published a comprehensive suite of governance, risk management and compliance tools for cloud providers, customers and key stakeholders to access their need against industry standards and best practice criteria(CSA, 2011). The CSA suite which leverages the requirements of the ISO/IEC 27001:2005 management system standard(ISO, 2011) have been wholly adopted by the British Standards Institute(BSI). The European Union Agency for Network and Information Security (ENISA),has also published its guide on cloud computing risks and opportunities for SME’s in the EU(ENISA, 2015). The Information Systems Audit and Control Association (ISACA) produced its guidelines for cloud assessment incorporating ISO, COBIT and NIST security controls(ISACA, 2012). With a view to being easy to use and generic enough to suit a wider range of IT environments, these guidelines and frameworks mostly utilise the checklist approach in assessing cloud security risk. This approach can be highly restrictive, too narrow in focus and not reflecting of an organisation’s specific computing environment thereby failing to add value to the cloud security risk assessment process.
In researching new metrics and models of success for Cloud migrations (Azeemi et al., 2013) argued that organisational ability to manage new security risk be considered as a new additional success factor. (Garrison et al., 2012) suggests that effective risk management to be one of the organisational capabilities that determine probability of cloud success. (Paquette et al., 2010) also identified the management of security risk in governmental use of cloud computing to be key determinant for its success. (Abdollahzadegan et al., 2013) suggested there is a correlation between organisational ability to assess and manage risk prior to implement, its size and success of adoption of cloud computing. These arguments clearly indicate the importance of security risk assessment in cloud adoption and migration success. With various approaches and guidelines available to assess cloud security risk the responsibility lies with the organisation as the cloud customer to determine the most appropriate method or combination of methods to suit their specific needs.
The research will examine the issue of security risk assessment methods in migrating legacy systems into Cloud, using an action research methodology. The aim of utilising this particular approach is to provide a new perception to the issue, and will investigate whether formalised security risk assessment methods can be modified for the unique requirements of migrating legacy systems into Cloud. This adaptation will take the form of a consolidation of traditional IT security risk assessment methods and the more recent cybersecurity approaches, with the fundamental aim of establishing whether a modified security risk assessment method can be developed to aid organisations with their future legacy system cloud migration projects. The potential for such a modified method is to facilitate organisations in achieving higher levels of assurance and confidence, and ultimately improve the success rate for legacy system cloud migration projects.
This research area is indeed worthy of further investigation, as every organisation must at some point in time contemplate or undertake legacy system cloud migration projects. This research will add to their understanding and information of cloud security risk assessment. The outcomes will specifically be helpful to IT practitioners and management involved in legacy system cloud migration projects, bringing about an increased level of confidence and success.
The researcher’s background as an independent IT practitioner involved in requirements analysis, enterprise architecture, system design, vendor selection, implementation project management and systems assurance & governance provides the relevant competencies to conduct this investigation and will be further enriched by this research into the area of cloud security risk assessment.