Advances, Systems and Applications
Table 1 ENISA’s list of risk scenarios and their categories
From: A risk assessment model for selecting cloud service providers
Risk category | Risk name |
|---|---|
Policy & Organizational | P1. Lock-in |
P2. Loss of governance | |
P3. Compliance challenges | |
P4. Loss of business reputation due to co-tenant activities | |
P5. Cloud service termination or failure | |
P6. Cloud provider acquisition | |
P7. Supply chain failure | |
Technical | T1. Resource exhaustion (under or over provisioning) |
T2. Isolation failure | |
T3. Cloud provider malicious insider - abuse of high privilege roles | |
T4. Management interface compromise (manipulation, availability of infrastructure) | |
T5. Intercepting data in transit | |
T6. Data leakage on up/download, intra-cloud | |
T7. Insecure or ineffective deletion of data | |
T8. Distributed denial of service (DDoS) | |
T9. Economic denial of service (EDOS) | |
T10. Loss of encryption keys | |
T11. Undertaking malicious probes or scans | |
T12. Compromise service engine | |
T13. Conflicts between customer hardening procedures and cloud environment | |
Legal | L1. Subpoena and e-discovery |
L2. Risk from changes of jurisdiction | |
L3. Data protection risks | |
L4. Licensing risks | |
Not Specific to the Cloud | N1. Network breaks |
N2. Network management (ie, network congestion / mis-connection / non-optimal use) | |
N3. Modifying network traffic | |
N4. Privilege escalation | |
N5. Social engineering attacks (ie, impersonation) | |
N6. Loss or compromise of operational logs | |
N7. Loss or compromise of security logs (manipulation of forensic investigation) | |
N8. Backups lost, stolen | |
N9. Unauthorized access to premises (including physical access to machines and other facilities) | |
N10. Theft of computer equipment | |
N11. Natural disasters |