This systematic literature review explores the landscape of risks and risk management techniques in cloud outsourcing, with a focus on assisting enterprise cloud consumers in understanding and mitigating both technical and non-technical risks, despite having limited control over the infrastructures. From a comprehensive analysis of 55 academic articles, spanning the period from January 2013 to September 2022, we identify and characterize risks using established frameworks from ENISA and 20. Using ISO31000 and the classification proposed by 4, we also summarize and characterize 23 main strategies in risk management techniques feasible for cloud consumers, including technical and non-technical measures. We observe a significant emphasis on technical risks in the literature, while non-technical risks, including legal, organizational, and policy aspects, are relatively underrepresented. Threats to data confidentiality dominate the technical risks and mostly originate from shared infrastructure issues. However, non-technical issues, such as vendor lock-in, also pose catastrophic risks the continuity and business operations of the cloud consumers. We also observe that encryption still plays a key role in the existing techniques, next to other techniques such as auditing, risk-aware software development, and assessments of third parties.
Haq et al. (Tue,) studied this question.