Skip to main content

Advances, Systems and Applications

Table 1 ENISA’s list of risk scenarios and their categories

From: A risk assessment model for selecting cloud service providers

Risk category Risk name
Policy & Organizational P1. Lock-in
  P2. Loss of governance
  P3. Compliance challenges
  P4. Loss of business reputation due to co-tenant activities
  P5. Cloud service termination or failure
  P6. Cloud provider acquisition
  P7. Supply chain failure
Technical T1. Resource exhaustion (under or over provisioning)
  T2. Isolation failure
  T3. Cloud provider malicious insider - abuse of high privilege roles
  T4. Management interface compromise (manipulation, availability of infrastructure)
  T5. Intercepting data in transit
  T6. Data leakage on up/download, intra-cloud
  T7. Insecure or ineffective deletion of data
  T8. Distributed denial of service (DDoS)
  T9. Economic denial of service (EDOS)
  T10. Loss of encryption keys
  T11. Undertaking malicious probes or scans
  T12. Compromise service engine
  T13. Conflicts between customer hardening procedures and cloud environment
Legal L1. Subpoena and e-discovery
  L2. Risk from changes of jurisdiction
  L3. Data protection risks
  L4. Licensing risks
Not Specific to the Cloud N1. Network breaks
  N2. Network management (ie, network congestion / mis-connection / non-optimal use)
  N3. Modifying network traffic
  N4. Privilege escalation
  N5. Social engineering attacks (ie, impersonation)
  N6. Loss or compromise of operational logs
  N7. Loss or compromise of security logs (manipulation of forensic investigation)
  N8. Backups lost, stolen
  N9. Unauthorized access to premises (including physical access to machines and other facilities)
  N10. Theft of computer equipment
  N11. Natural disasters