Authors:
Nazila Gol Mohammadi
1
;
Ludger Goeke
1
;
Maritta Heisel
1
and
Mike Surridge
2
Affiliations:
1
Working Group Software Engineering, University of Duisburg-Essen, Oststr. 99, Duisburg, Germany
;
2
IT Innovation, Southampton, U.K.
Keyword(s):
Context Analysis, Risk Assessment, Threat and Control Identification, Cloud Computing Systems.
Abstract:
Data protection and a proper risk assessment are success factors for providing high-quality cloud computing systems. Currently, the identification of the relevant context and possible threats and controls requires high expertise in the security engineering domain. However, consideration of experts’ opinions during the development life-cycle often lacks a systematic approach. This may result in overlooking of relevant assets or missing relevant domain knowledge, etc. Our aim is to bring context analysis and risk assessment together in a systematic way. In this paper, we propose a systematic, tool-assisted, and model-based methodology to scope the context and risk assessment for a specific cloud system. Our methodology consists of two parts: First, we enhance the initial context analysis necessary for defining the scope for risk assessment, and second we identify relevant threats and controls during design- and deployment-time. Using the context model, and design-time system model, we
further refine the gathered information into a deployment model. All steps of our methodology are tool supported and in a semi-automatic manner.
(More)