Cloud security risk management

Cloud Security Risk Management is a frequently discussed and analyzed topic that, in recent years, has captured the interest of many scholars and professionals. It reunites under a single category different remarkable elements: The technical and economic relevance of cloud systems, whose diffusion has been one of the most notable phenomena of the last decade; the growing concerns about information security, including privacy; the increasing relevance of risk analysis and management applied to information technology and systems as processes that encompass technical aspects as well as compliance, governance and business. However, Cloud Security Risk Management as a research field and a set of methodologies, analyses and techniques is still far to be a mature discipline. On the contrary, it is ridden with uncertainty derived from the still early stages of security risk analysis, especially applied to cloud systems, and the relatively poor experience in managing cloud risks. For these reasons there is still an on going debate about which risks should be considered cloud-specific and new, which established risk-mitigating solutions and standards could be applied to the cloud environment and so forth. In this chapter, we conduct a survey on the fundamental aspects of Cloud Security Risk Management, starting from the definition of risk and moving to analyze cloud-specific risks. With respect to risk management, we emphasize the contractual nature of cloud computing, thus focusing specifically on Service Level Agreements (SLAs), an issue that has been the subject of several relevant analyses and proposals in recent years.