Journal of Cloud Computing – A risk assessment model for selecting cloud service providers


By Erdal CayirciAlexandr GaragaAnderson Santana de Oliveira and Yves Roudier

This is one of my most recently published papers. The first in Open Access:


The Cloud Adoption Risk Assessment Model is designed to help cloud customers in assessing the risks that they face by selecting a specific cloud service provider. It evaluates background information obtained from cloud customers and cloud service providers to analyze various risk scenarios. This facilitates decision making an selecting the cloud service provider with the most preferable risk profile based on aggregated risks to security, privacy, and service delivery. Based on this model we developed a prototype using machine learning to automatically analyze the risks of representative cloud service providers from the Cloud Security Alliance Security, Trust & Assurance Registry.



Five Steps to Perform a Cloud Risk Assessment

CC license. Photo by

The main difficulty in assessing cloud risks is the lack of visibility about the implemented security controls by the cloud provider. Oftentimes customers can see security certification information, but these are not sufficient to have a precise cloud risk assessment. We published a research paper with a practical approach to perform cloud risk assessments, with reproducible steps that potential cloud customer perform:

1 – Define the cloud risk scenarios affecting your business

There are relevant cloud-specific risks to watch out for: lock-in, compliance challenges, shared technology risks, most of them are discussed in the ENISA recommendations for information security in the Cloud, from 2010, but you will likely add consider other risks affecting your business, such as foreign government espionage, which was not in the ENISA’s enumeration, but became extremely relevant since 2013.

2 – Determine relevant security controls to protect your assets

Each risk scenario links to a number of vulnerabilities. In order to mitigate these, one must select appropriate security controls, more often by adopting a security standard. The Cloud Controls Matrix by CSA is a great resource for that. It contains an extensive collection of controls and practices extracted from the most prominent standards. These controls are grouped in relevant categories (called Control Domains), which make it easy to relate to a number of risk scenarios. For instance, the Compliance control domain will help in addressing the “Regulatory” and “Legal” risk scenarios, whereas controls in the Resiliency domain will help to mitigate some risks related to service delivery and quality of service.

3 – Assess your cloud provider

The main difference with doing risk assessments in general is that by moving data to the cloud, the organizations do not have the same level of control as on premise. Depending on the delivery model, a considerable part of the responsibilities will rely on the cloud provider. It is important to assess how the provider implements the controls that are relevant to your risk scenarios from step 1. For that, an excellent source of information is the CSA Security, Trust & Assurance Registry (STAR). Each provider in the repository responded to around 300 questions related to the most important information security standards (this is the Consensus Assessments Initiative Questionnaire, CAIQ). As a cloud consumer, your organization needs to know which controls are the most suited to mitigate the threats in your risk scenarios. Ah, the cloud provider you intend to contract is not in the CSA Registry? Just ask them to fill in the CAIQ. Or the answers in the Star Registry aren’t clear? Ask for more details to the provider. It has probably already gone through this exercise and they are sharing the answers only under some NDA.

4 – Estimate the residual risks and further measures to be taken

Not all responsibilities are on the hands of the provider. There are controls you will need to put in place, even if you are using a SaaS. For example, your employees need to be aware about social engineering attacks. For PaaS and IaaS there are many more security controls to activate and monitor by yourself.

5 – Make your decision
Determine which data and/or business process will move to the cloud and estimate the impact to your organization to their CIA (confidentiality, integrity, and availability) properties. Different cloud offers will address security needs in different ways. In the paper, we show an approach to cluster risk scenarios in three main risk indicators allowing compare different providers easily, a screenshot with pseudonymized providers is given below. Another important point is to review SLAs, privacy policies and further contractual documents very carefully. Finally, once you made your choice, keep in mind that sometimes there is room for negotiating specific contracts terms to obtain better guarantees.

CARAM screenshot

Comparing providers using risk indicators

A Data Protection Impact Assessment Methodology for Cloud

We propose a data protection impact assessment (DPIA) method based on successive questionnaires for an initial screening and for a full screening for a given project. These were tailored to satisfy the needs of Small and Medium Enterprises (SMEs) that intend to process personal data in the cloud. The approach is based on legal and socio-economic analysis of privacy issues for cloud deployments and takes into consideration the new requirements for DPIAs within the European Union (EU) as put forward by the proposed General Data Protection Regulation (GDPR). The resultant features have been implemented within a tool.

With Rehab Alnemr, Erdal Cayirci, Lorenzo Dalla Corte, Alexandr Garaga, Ronald Leenes, Rodney Mhungu, Siani Pearson, Chris Reed, Anderson Santana De Oliveira, Dimitra Stefanatou, Katerina Tetrimida and Asma Vranaki

At the Annual Privacy Forum 2015

See the slides: APF2015presentaion

And the full paper (pre-proceedings version): ANPF2015

Enabling Message Security for RESTful Services

Also check out our recent paper at the IEEE International Conference on Web Services 2012, more details can be found in the link below:

The full paper is available here: 


HiPoLDS: A Security Policy Language for Distributed Systems

In the context of the CESSA project, we had a paper recently presented at WISTP 2012:  HiPoLDS: A Security Policy Language for Distributed Systems by Matteo Dell’Amico, Gabriel Serme, Muhammad Sabir Idrees, Anderson Santana de Oliveira and Yves Roudier. The abstract is as follows:

Expressing security policies to govern distributed systems is a complex and error-prone task. Policies are hard to understand, often expressed with unfriendly syntax, making it difficult to security administrators and to business analysts to create intelligible specifications. We introduce the Hierarchical Policy Language for Distributed Systems (HiPoLDS ). HiPoLDS has been designed to enable the specification of security policies in distributed systems in a concise, readable, and extensible way. HiPoLDS’s design focuses on decentralized execution environments under the control of multiple stakeholders. Policy enforcement employs distributed reference monitors who control the flow of information between services. HiPoLDS allows the definition of both abstract and concrete policies, expressing respectively high-level properties required and concrete implementation details to be ultimately introduced into the service implementation.



SAP Network Blog: Security Vulnerabilities Detection and Protection Using Eclipse

In an effort to bring back this blog to life, I would like to share with you the outstanding work from Gabriel Serme together with Paul el Khoury and Marco Guarnieri. Gabriel is a PhD candidate at SAP research working with me on the CESSA Project. He delevopped a tool to detect and to correct in a semi-automated manner web application vulnerabilities using aspect-oriented programming.
Plese check his blog post for more details:

Evolving Security Requirements in Multi-Layered Service-Oriented-Architectures

This post is about a paper we presented at SETOP 2011.
It basicaly presents the vision of the CESSA project.

Authors: Muhammad Sabir Idrees, Gabriel Serme, Yves Roudier, Anderson Santana De Oliveira, Herve GrallMario Sudholt

Here is the abstract:
Due to today’s rapidly changing corporate environments, business processes are increasingly subject to dynamic configuration and
evolution. The evolution of new deployment architectures, as illustrated by the move towards mobile platforms and the Internet Of Services, and the introduction of new security regulations(imposed by national and international regulatory bodies, such as
SOX(Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002) or BASEL are an important constraint in the design and development of business processes.
In such a context, it is not sufficient to apply the corresponding adaptations only at the service orchestration or at the
choreography level; there is also the need for controlling the impact of new security requirements to several architectural
layers, specially in cloud computing, where the notion of Platforms as Services and Infrastructure as Services are fundamental. In this paper we survey several research questions related to security cross-domain and cross-layer security
functionality in Service Oriented Architectures, from an original point of view.

We provide the first insights on how a general service model empowered with aspect oriented programming capabilities can provide clean modularization to such cross-cutting security concerns.