Cyber Supply Chain Risks in Cloud Computing - Bridging the Cloud Risk Assessment Gap | Cloud industry forum


Subscribe - news & resources

Professional membership

Cyber Supply Chain Risks in Cloud Computing - Bridging the Cloud Risk Assessment Gap

Olusola Akinrolabu, of the Centre for Doctoral Training (CDT) in Cyber Security at the University of Oxford has conducted a series of studies in relation to cloud risk assessment and have introduced several novel concepts for assessing cloud provider risks.  The team have identified a significant cyber supply chain gap in both literature and practice, one which they believe has prevented cloud providers from seeing the 'big picture' when addressing cloud risks. Furthermore, seeing that "you cannot effectively manage what you can't measure", many organisations have fallen victim of supply chain related incidents, due to indirect attacks on their suppliers.

As a result of the above, the CDT have proposed and developed the Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, a quantitative risk assessment model which is supported by supplier security assessment and supply chain mapping. The CSCCRA is currently targeting cloud providers, particularly SaaS CSPs, who rely on an increased number of suppliers to deliver a cloud service.

To validate the efficiency, effectiveness and usefulness of the CSCCRA model, they have conducted a workshop with industry experts and members of academia, where the model was used in assessing the risks of a fictional company. Here a series of improvements were suggested, all which have now been implemented. They have also taken their validation to a next level, by conducting the first case study with a not-for-profit cloud provider and the feedback was positive.

They are now calling on all SaaS CSPs who are interested to trial the model.  Some of the benefits of participating in this study include:

  1. Each participating SaaS CSP will get the opportunity to go through the risk assessment of their cloud service, analyse their supply chain, identify weak suppliers and receive a quantitative risk result in dollar terms.
  2. The identification of potential weak spots in the supply chain through a dynamic model, such as the CSCCRA helps CSPs capture the vulnerability of their cloud service and promotes proactive mitigation of risks.
  3. The graphical representation of the inherent risk in the supply chain helps to counter any documented biases in risk estimation and decision-making. It also helps in reducing the cognitive load involved in the estimation of risk factors.

See the document in this link for a graphical perspective and to find out how you can be involved contact Olusola Akinrolabu

Access Type: 
PDF icon Download (627.11 KB)