This post describes the Cloud Supply Chain Cyber Risk Assessment (CSCCRA) research project from the Cyber Security CDT, Oxford University. Comparisons are also made with the risk assessment processes in RestAssured.
RestAssured project member OCC participated in the case study as a provider of SaaS (Software as a service), specifically software which relies on multiple suppliers of cloud services. The primary purpose of this study is to validate the applicability of the model to address the gaps in cloud risk assessment and is best described by the study researcher (O. Akinrolabu):
“Security risks associated with the cloud’s multi-tenancy, automation, vendor lock-in, and system complexity continues to be on the rise. Assessing and managing these risks can be a challenge due to the increased numbers of parties, devices and applications involved in cloud service delivery.
In a recent study conducted with cloud experts, we discovered how current risk assessment methods were unable to cope with the dynamic nature of the cloud, a gap linked to their failure to consider the inherent risk of the supply chain. This challenge is further exacerbated by the lack of cloud provider transparency and limited visibility of security controls.”
The exercise aims to “provide SaaS (Software as a service) providers with an opportunity to step back cognitively from their usual approach to risk assessment and fundamentally question and rethink their established interpretations of cloud risks.”
It is easy for SaaS providers to focus their security efforts on the cloud services that they directly control and to not take in to proper consideration the risks associated with the wider supply chain, specifically, the third parties that provide services that integrate with or support their cloud software. Some examples of such services include: databases, DNS, hosting, e-mail, payment and monitoring etc.
For each provider of services in the supply chain the model will produce an associated risk value in monetary terms. This gives the SaaS provider a tangible value to use in decision making, for example to accept or take steps to reduce the risk.
Due to the high degree of uncertainty involved in making risk estimations, the model makes use of the Monte-Carlo simulation technique.
How the CSCCRA Model works
The CSCCRA model is made up of the following steps:
- Decompose the cloud application into its component services and map out the supply chain
- Assess the security of the supplier of each service component using a multi-criteria decision support system
- Identify the weak link(s) within the chain and draw a comprehensive list of cloud security risks
- Stakeholders make reasonable estimates of risk values
- Input risk values to CSCCRA quantitative simulation tool, to arrive at the risk value in monetary terms.
The predefined criteria used to assess the security of the service suppliers (step two above), which were the result of a Delphi study tasked with identifying security factors for cloud suppliers, consists of three categories, which were further decomposed as follows:
Data and Infrastructure Controls:
- Data & System Hosting
- Data Security Controls
- Availability of Service
Operational Maturity and Compliance:
- Maturity of Security Assessment process
- Maturity of Operational Security
- Security Governance & Compliance
Access Control and Application Management:
- Identity & Access Management (IAM)
- Encryption & Key Management
- Application Security
It became clear from this stage of the exercise which suppliers were weaker or did not make available enough information about their security processes. Following this step, a list of cloud security risks were identified. These could be grouped in to three main categories: service disruption, breach of personal data and loss of infrastructure.
For each risk, the vulnerability details, threat agent, security effect and any existing security controls were detailed. Stakeholders then made estimates for the probability of risk occurrence with and without any existing controls, the impact cost if the risk were to occur and the estimated number of occurrences per year. The estimates were based on lower, most likely and upper bound parameters.
A pragmatic approach was taken in estimating impact costs as there is not enough guidance or information available, particularly surrounding GDPR penalties or damage to reputation, to provide accurate numbers.
The final step of the exercise involves feeding the estimates in to the quantitative simulation tool, which will then generate a risk value in monetary terms. This step has not yet been performed, but once complete, the risk values produced can be used by the business to prioritise and decide what effort should be made to reduce or mitigate the risks identified.
Furthermore, the researchers will publish a paper detailing their findings.
Comparison with Risk Modelling and Assessment in RestAssured
Both CSCCRA and RestAssured make use of system maps or graphs to model the relationship of the components in the supply chain, and both approaches generate a list of risks/threats/vulnerabilities.
The methods differ in the way that the risks are identified, for example in the case of RestAssured and the System Security Modeller (see D7.1), the threats are calculated automatically based on the types of components selected, which are derived from a database of known threats, and also the trustworthiness assigned to components in the system model. Whereas CSCCRA relies on stakeholder knowledge for risk identification.
CSCCRA attempts to assess the security procedures of third parties, which as discussed, can be difficult if such information is not publicly accessible, however this does allow stakeholders to create a broader view of the supply chain map at a more abstract level. RestAssured takes a more granular approach to mapping out the components and services, also known as assets, of a cloud hosted application and thus makes fewer assumptions on security and trustworthiness of third party service providers.
Finally, the goals of each method differ: in the case of CSCCRA the result is a risk value in monetary terms, to be used in decision making; compared to RestAssured risk assessment which provides a list of threats against each asset in the system and for each threat any known control measures that would mitigate or reduce the impact, the analyst is then able to decide if the risks are acceptable or select from available control strategies until the risk level of the system model is acceptable.
The original project poster for CSCCRA can be found here.