Cloud computing can be particularly beneficial to small businesses since
it can decrease the total cost of ownership for IT systems.
Unfortunately, one of the major barriers to adoption of cloud services
is the perception that they are inherently less secure, exposing the
organization to unacceptable risk. There are standard processes for
managing security risk that can help businesses make trade-off
decisions, but these processes currently cannot be applied to cloud
computing since the security details of cloud services are not typically
available to small businesses. This lack of information leads to a lack
of trust: small businesses cannot evaluate the security of cloud
services. This paper proposes an approach for cooperation between cloud
vendors and small businesses based on the NIST Risk Management
Framework. Security Risk Agreements would address the lack of trust so
that small businesses can confidently adopt cloud services, benefiting
both small businesses and cloud vendors.
HTML and PDF versions at Galois.com.