雲端運算專屬風險之分析

Critical Risk Analysis for Cloud Computing

劉江1、陳緯修2、董德國1
C. L. Liu1, W. H. Chen2 and D. K. Tung1

1國防大學理工學院 電機電子工程學系
2國防大學理工學院 國防科學研究所


摘要

  雲端運算是具有許多顯著優點的全新服務方式,也因此成為現今世界的發展潮流,然而其同時帶來新的安全問題,造成企業與個人導入雲端運算的疑慮。包含歐洲網路與資訊安全機構(ENISA)等許多國際研究機構針對雲端安全提出許多相關的報告,然而,在這些報告中,也同時混雜了傳統安全上的問題,對雲端供應商及使用者而言,無法針對雲端安全加以評估。本文即是從風險分析的角度,提出雲端運算特有的安全問題。本研究採用歐洲網路與資訊安全機構(ENISA)的分類方式,將雲端運算的特有的風險區分為政策及組織風險,技術風險,法規風險等三大類,並結合雲端風險相關文獻,提出20項雲端運算特有的風險,並針對每一項目,加以詳細說明,期能透過本文之探討,作為學者及雲端供應商解決安全問題之參考。

關鍵字:雲端運算、風險管理、安全識別


ABSTRACT

  Cloud computing is a new service style with many significant advantages and becoming a trend in the world nowadays. Although cloud computing can provide many significant advantages, it also bring a new security problems which present strong barriers for individuals/enterprises to adapt into cloud computing. Including European Network and Information Security Agency (ENISA), many international organizations have issued their reports on the issue of cloud computing security. However, the risks the cloud computing faces identified by these reports also mix with traditional security problems. In this paper, we aim at identifying the critical security issues which are cloud computing-designated. The results of our identification are divided into three categories, namely, policy and organizational, technical, and legal issues, which were adopted by ENISA. We also carefully analyzed the literature on cloud computing security to propose 20 computing-designated risks for each category. Detailed explanations about the risks are also given in this paper. Most of the cloud computing-designated security issues pointed out in this paper can be taken into consideration for cloud computing service providers when designing a new cloud computing technique.

Keywords: Cloud computing; Risk management; Security identification