Cloud Outsourcing Risk Management for Cloud Consumers: A Systematic Literature Review

This systematic literature review explores the landscape of risks and risk management techniques in cloud outsourcing, with a focus on assisting enterprise cloud consumers in understanding and mitigating both technical and non-technical risks, despite having limited control over the infrastructures. From a comprehensive analysis of 55 academic articles, spanning the period from January 2013 to September 2022, we identify and characterize risks using established frameworks from ENISA and Cebula et al. [16]. Using ISO31000 and the classification proposed by Ardagna et al. [3], we also summarize and characterize 23 main strategies in risk management techniques feasible for cloud consumers, including technical and non-technical measures. We observe a significant emphasis on technical risks in the literature, while non-technical risks, including legal, organizational, and policy aspects, are relatively underrepresented. Threats to data confidentiality dominate the technical risks and mostly originate from shared infrastructure issues. However, non-technical issues, such as vendor lock-in, also pose catastrophic risks the continuity and business operations of the cloud consumers. We also observe that encryption still plays a key role in the existing techniques, next to other techniques such as auditing, risk-aware software development, and assessments of third parties.