雲端運算給資訊科技產業帶來商機,但亦帶來重大的挑戰。客戶願意採用雲端服務的前題是須確保客戶資訊安全。近期發生的網路進階持續性滲透攻擊(advancedpersistent threat,APT)已導致客戶對導入雲端服務產生心理障礙。針對導入雲端服務所面臨的潛在風險問題,本研究提出一套風險評估方法,參考雲端安全聯盟(cloudsecurity alliance,CSA)與歐洲網路與資訊安全局(European network and informationsecurity agency,ENISA)所提出的雲端服務之資訊安全架構,已決定導入雲端服務之風險項目,利用模糊層級分析法(fuzzy analytic hierarchy process,FAHP)合理評估與分析雲端服務之風險項目優先順序。所研提的方法與案例分析,有助於企業了解轉移應用程式至雲端服務的風險項目及控管優先順序,以利決定資安資源分配及降低系統導入後之潛在衝擊。
Cloud computing presents the IT industry not only with exciting opportunities, but also with significant challenges since consumers are reluctant to adopt cloud computing solutions in the absence of firm guarantees regarding the security of their information. Network attacks such as APT attacks present a serious obstacle to consumer acceptance of cloud service project nowadays. Accordingly, the present study proposes a project risk assessment scheme and constructs a risk evaluation matrix based on the security framework followed by both Cloud Security Alliance (CSA) and European Network and Information Security Agency (ENISA). In addition, the risk priorities of attributes are rationally evaluated by fuzzy analytic hierarchy process (FAHP) method in the risk assessment process. Overall, the results confirm that the proposed method provides an effective means of recognizing the risk attributes and their risk priorities, deciding the allocation of risk budget, and reducing the impact of potential risk for enterprises.