Derivation of a Conceptual Framework to Assess and Mitigate Identified Customer Cybersecurity Risks by Utilizing the Public Cloud

Abstract

The number of end points connecting to the cloud can increase distributed attack vectors due to vulnerable devices connecting from the front end. The risk is also enhanced due to the technological abstractions associated with public cloud computing models at the back end. On the one hand, cloud service providers make sets of defined service criteria and supporting documentation, publicly available to assist customers with their public cloud deployments. However, on the other hand, a cacophony of security incidents over the past five years involving vulnerable cloud customer instantiations reveals that cloud security risks may not be completely comprehended. Essentially, the fundamental principle of cloud computing is the ‘shared security responsibility’ model. It is argued in this paper that from a cloud customer perspective, there is either too much reliance upon legacy risk assessment methods and/or standards orientated compliance-mapping approaches when trying to apply due diligence for cybersecurity. This can be amplified by different cloud service providers using terms like ‘core services’ and ‘managed services’ rather than traditional terms such as Infrastructure-as-a-Service and Platform-as-a-Service. This extended paper describes the myriad of techniques used to derive a conceptual framework through post-graduate research. Based around a defense-in-depth model, the proposed conceptual framework is a proof of concept to enable customers to focus on the contextualized risks when using the public cloud. A method of reducing the risks using mitigation categories is also proposed. Consequently, a method of calculating residual risk against the identified risks levels is theoretically defined and dependent upon the rigor of counter-measure selection.