Advances, Systems and Applications
Table 1 ENISA’s list of risk scenarios and their categories
From: A risk assessment model for selecting cloud service providers
Risk category | Risk name |
|---|---|
Policy & Organizational | P1. Lock-in |
| Â | P2. Loss of governance |
| Â | P3. Compliance challenges |
| Â | P4. Loss of business reputation due to co-tenant activities |
| Â | P5. Cloud service termination or failure |
| Â | P6. Cloud provider acquisition |
| Â | P7. Supply chain failure |
Technical | T1. Resource exhaustion (under or over provisioning) |
| Â | T2. Isolation failure |
| Â | T3. Cloud provider malicious insider - abuse of high privilege roles |
| Â | T4. Management interface compromise (manipulation, availability of infrastructure) |
| Â | T5. Intercepting data in transit |
| Â | T6. Data leakage on up/download, intra-cloud |
| Â | T7. Insecure or ineffective deletion of data |
| Â | T8. Distributed denial of service (DDoS) |
| Â | T9. Economic denial of service (EDOS) |
| Â | T10. Loss of encryption keys |
| Â | T11. Undertaking malicious probes or scans |
| Â | T12. Compromise service engine |
| Â | T13. Conflicts between customer hardening procedures and cloud environment |
Legal | L1. Subpoena and e-discovery |
| Â | L2. Risk from changes of jurisdiction |
| Â | L3. Data protection risks |
| Â | L4. Licensing risks |
Not Specific to the Cloud | N1. Network breaks |
| Â | N2. Network management (ie, network congestion / mis-connection / non-optimal use) |
| Â | N3. Modifying network traffic |
| Â | N4. Privilege escalation |
| Â | N5. Social engineering attacks (ie, impersonation) |
| Â | N6. Loss or compromise of operational logs |
| Â | N7. Loss or compromise of security logs (manipulation of forensic investigation) |
| Â | N8. Backups lost, stolen |
| Â | N9. Unauthorized access to premises (including physical access to machines and other facilities) |
| Â | N10. Theft of computer equipment |
| Â | N11. Natural disasters |