Advertisement

Delegated Audit of Cloud Provider Chains Using Provider Provisioned Mobile Evidence Collection

  • Christoph ReichEmail author
  • Thomas Rübsamen
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 740)

Abstract

Businesses, especially SMEs, increasingly integrate cloud services in their IT infrastructure. The assurance of the correct and effective implementation of security controls is required by businesses to attenuate the loss of control that is inherently associated with using cloud services. Giving this kind of assurance, is traditionally the task of audits and certification done by auditors. Cloud auditing becomes increasingly challenging for the auditor, if you be aware, that today cloud services are often distributed across many cloud providers. There are Software as a Service (SaaS) providers that do not own dedicated hardware anymore for operating their services, but rely solely on other cloud providers of the lower layers, such Infrastructure as a Service (IaaS) providers. Cloud audit of provider chains, that is cloud auditing of cloud service provisioned across different providers, is challenging and complex for the auditor.

The main contributions of this paper are: An approach to automated auditing of cloud provider chains with the goal of providing evidence-based assurance about the correct handling of data according to pre-defined policies. A concepts of individual and delegated audits, discuss policy distribution and applicability aspects and propose a lifecycle model. The delegated auditing of cloud provider chains using a provider provisioned platform for mobile evidence collection is the policy to collect evidence data on demand. Further, the extension of Cloud Security Alliance’s (CSA) CloudTrust Protocol form the basis for the proposed system for provider chain auditing.

Notes

Acknowledgements

This work has been partly funded: EC:FP7/2007-2013, 317550, A4Cloud.

References

  1. 1.
    Azraoui, M., Elkhiyaoui, K., Önen, M., Bernsmed, K., Oliveira, A.S., Sendor, J.: A-PPL: an accountability policy language. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA/SETOP -2014. LNCS, vol. 8872, pp. 319–326. Springer, Cham (2015). doi: 10.1007/978-3-319-17016-9_21 Google Scholar
  2. 2.
  3. 3.
    Cloud Security Alliance: Top threats to cloud computing survey results update 2012 (2013). https://downloads.cloudsecurityalliance.org/initiatives/top_threats/Top_Threats_Cloud_Computing_Survey_2012.pdf
  4. 4.
    Cloud Security Alliance: Cloud Controls Matrix (2014). https://cloudsecurityalliance.org/research/ccm/
  5. 5.
    Cloud Security Alliance: CloudTrust Protocol (2016). https://cloudsecurityalliance.org/research/ctp
  6. 6.
    Distributed Management Task Force, Inc. (DMTF): Cloud auditing data federation (CADF) - data format and interface definitions specification (2014). http://www.dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
  7. 7.
    Doelitzscher, F., Rübsamen, T., Karbe, T., Reich, C., Clarke, N.: Sun behind clouds - on automatic cloud security audits and a cloud audit policy language. Int. J. Adv. Netw. Serv. 6(1&2) (2013)Google Scholar
  8. 8.
    Kertesz, A., Kecskemeti, G., Oriol, M., Kotcauer, P., Acs, S., Rodríguez, M., Mercè, O., Marosi, A., Marco, J., Franch, X.: Enhancing federated cloud management with an integrated service monitoring approach. J. Grid Comput. 11(4), 699–720 (2013). http://dx.doi.org/10.1007/s10723-013-9269-0
  9. 9.
    Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., Leaf, D.: Nist cloud computing reference architecture (2011). http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
  10. 10.
    Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., Villari, M.: A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In: 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum (IPDPSW), pp. 1510–1517, May 2011Google Scholar
  11. 11.
    Microsoft Developer Network: The Stride Threat Model (2014). https://msdn.microsoft.com/en-US/library/ee823878(v=cs.20).aspx
  12. 12.
    Muller, C., Oriol, M., Rodriguez, M., Franch, X., Marco, J., Resinas, M., Ruiz-Cortes, A.: Salmonada: a platform for monitoring and explaining violations of WS-agreement-compliant documents. In: 2012 ICSE Workshop on Principles of Engineering Service Oriented Systems (PESOS), pp. 43–49, June 2012Google Scholar
  13. 13.
    Povedano-Molina, J., Lopez-Vega, J.M., Lopez-Soler, J.M., Corradi, A., Foschini, L.: Dargos: a highly adaptable and scalable monitoring architecture for multi-tenant clouds. Future Gener. Comput. Syst. 29(8), 2041–2056 (2013). http://www.sciencedirect.com/science/article/pii/S0167739X13000824
  14. 14.
    Rizvi, S., Ryoo, J., Liu, Y., Zazworsky, D., Cappeta, A.: A centralized trust model approach for cloud computing. In: 2014 23rd Wireless and Optical Communication Conference (WOCC), pp. 1–6, May 2014Google Scholar
  15. 15.
    Rübsamen, T., Reich, C.: Supporting cloud accountability by collecting evidence using audit agents. In: 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom), vol. 1, pp. 185–190, December 2013Google Scholar
  16. 16.
    Rübsamen, T., Hölscher, D., Reich, C.: Towards auditing of cloud provider chains using cloudtrust protocol. In: Proceedings of the 6th International Conference on Cloud Computing and Service Science (CLOSER 2016), pp. 83–94. SciTePress (2016)Google Scholar
  17. 17.
    Rübsamen, T., Pulls, T., Reich, C.: Secure evidence collection and storage for cloud accountability audits. In: CLOSER 2015 - Proceedings of the 5th International Conference on Cloud Computing and Services Science, Lisbon, Portugal, 20–22 May 2015. SciTePress (2015)Google Scholar
  18. 18.
    Rübsamen, T., Reich, C.: An architecture for cloud accountability audits. In: Baden-Württemberg Center of Applied Research Symposium on Information and Communication Systems, SInCom 2014 (2014)Google Scholar
  19. 19.
    Saleh, M.: Construction of agent-based trust in cloud infrastructure. In: 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC), pp. 941–946, December 2014Google Scholar
  20. 20.
    Scientific Working Groups on Digital Evidence, Imaging Technology: SWGDE and SWGIT Digital and Multimedia Evidence Glossary (2015). https://www.swgde.org/documents/Current%20Documents/2015-05-27%20SWGDE-SWGIT%20Glossary%20v2.8

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Institute for Cloud Computing and IT SecurityFurtwangen University of a Applied ScienceFurtwangenGermany

Personalised recommendations