| Résumé: | <p>While the cloud model has many economic and functional advantages, the increased external interactions of cloud applications have expanded the complexity of its architectures and reshaped its supply chain. Due to the variety of parties involved in cloud service delivery and the high degree of supplier autonomy, assessing cloud risks has become a challenge. Also, the widespread application of traditional frameworks to cloud risk assessment has several shortcomings, including the subjectivity of risk evaluation and inability to measure cyber risk in complex systems. </p>
<p>Recognising that recent work on cloud risk assessment has focussed on cloud consumer risks, we sought to address the cloud service provider (CSP) risk assessment challenge. This research began with an in-depth assessment of the literature in cloud risk assessment and supply chain transparency. We conducted surveys and semi-structured interviews to validate the transparency gap and establish its link with qualitative risk assessment methods. The results of the studies substantiated the need for more rigour in cloud risk assessments and provided evidence on how this can be improved with supply chain transparency. </p>
<p>To address this gap, we proposed the Cyber Supply Chain Cloud Risk Assessment (CSCCRA) model; a quantitative and supply chain-inclusive model targeted at Software-as-a-Service (SaaS) CSPs. The model is made up of three main components, two of which are novel inclusions to cloud risk assessment, i.e. supply chain mapping and supplier security assessment. The CSCCRA model reflects the systems thinking approach, enabling CSPs to visualise information flow through the supply chain, assess supplier security posture, document assumptions regarding the risk factors, and appraise security controls. </p>
<p>In evaluating the CSCCRA model, a three-step approach was adopted. First, the developed model was evaluated by the author and members of the academic community to ensure that it met our initial criteria. Second, the model was face-validated by cloud and risk experts within the industry. Third, we conducted three real-world case studies, using the model to assess the risks of SaaS providers. The result of these evaluations confirmed the usefulness and applicability of the model for assessing cloud provider risks. Also, the case study results and subsequent development of the CSCCRA web application showed that a structured and systematic application of the proposed model within a SaaS organisation was capable of yielding objective and defensible results. The model demonstrated its utility by assisting stakeholders to quantify cloud risks, while also promoting cost-effective risk mitigation and optimal risk prioritisation.</p>
<p>Overall, these results advance knowledge both for research and in practice, taking us one step further into improving cloud risk assessment.</p>
|
|---|