For accepting clouds and using cloud services by companies, security plays a decisive role. For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, we present a structured and patternbased method to conduct risk analysis for cloud computing systems. It is tailored to SMEs. Our method addresses the requirements of the ISO 27001. We make use of the cloud system analysis pattern, security requirement patterns, threat patterns, and control patterns for conducting the risk analysis. The method is illustrated by a cloud logistics application example.
I. INTRODUCTIONCloud computing represents a technology as well as a business model [2]. National Institute of Standards and Technology (NIST) defines following properties for the cloud computing systems [18]: the cloud customer can require resources of the cloud provider such as storage, processing, memory, network bandwidth, and virtual machines over broad network access and on-demand and pays only for the used capabilities. Using cloud computing services is thus an economic way of acquiring IT-resources. The dynamic acquisition and scalability, yet paying only what was used, makes cloud computing an interesting alternative for a large amount of potential customers.To benefit from cloud computing and the advantages it offers, obstacles regarding the usage of clouds should be cleared. For accepting clouds and using cloud services by companies, security plays a decisive role 1 . For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds by certifying their cloud computing systems. The ISO 27001 standard [13] provides general concepts for establishing information security risk management in an organization. The Annex A of the ISO 27001 standard describes the normative controls of the standard. Risk analysis provides a foundation to the security of each organization. Hence, it is an essential part of the ISO 27001 standard for achieving information security. This standard does not stipulate any method for performing risk analysis. To identify assets, threats, and vulnerabilities as essential building blocks to security risk assessment, the companies offering cloud services need structured and comprehensible methods.In this paper, we present a structured and pattern-based method to conduct risk analysis for cloud computing systems.