Delegated Audit of Cloud Provider Chains Using Provider Provisioned Mobile Evidence Collection
Businesses, especially SMEs, increasingly integrate cloud services in their IT infrastructure. The assurance of the correct and effective implementation of security controls is required by businesses to attenuate the loss of control that is inherently associated with using cloud services. Giving this kind of assurance, is traditionally the task of audits and certification done by auditors. Cloud auditing becomes increasingly challenging for the auditor, if you be aware, that today cloud services are often distributed across many cloud providers. There are Software as a Service (SaaS) providers that do not own dedicated hardware anymore for operating their services, but rely solely on other cloud providers of the lower layers, such Infrastructure as a Service (IaaS) providers. Cloud audit of provider chains, that is cloud auditing of cloud service provisioned across different providers, is challenging and complex for the auditor.
The main contributions of this paper are: An approach to automated auditing of cloud provider chains with the goal of providing evidence-based assurance about the correct handling of data according to pre-defined policies. A concepts of individual and delegated audits, discuss policy distribution and applicability aspects and propose a lifecycle model. The delegated auditing of cloud provider chains using a provider provisioned platform for mobile evidence collection is the policy to collect evidence data on demand. Further, the extension of Cloud Security Alliance’s (CSA) CloudTrust Protocol form the basis for the proposed system for provider chain auditing.
This work has been partly funded: EC:FP7/2007-2013, 317550, A4Cloud.
- 1.Azraoui, M., Elkhiyaoui, K., Önen, M., Bernsmed, K., Oliveira, A.S., Sendor, J.: A-PPL: an accountability policy language. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA/SETOP -2014. LNCS, vol. 8872, pp. 319–326. Springer, Cham (2015). doi: 10.1007/978-3-319-17016-9_21 Google Scholar
- 2.Bitkom Research GmbH: Cloud Monitor 2015 (2015). https://www.kpmg.com/DE/de/Documents/cloudmonitor%202015_copyright%20_sec_neu.pdf
- 3.Cloud Security Alliance: Top threats to cloud computing survey results update 2012 (2013). https://downloads.cloudsecurityalliance.org/initiatives/top_threats/Top_Threats_Cloud_Computing_Survey_2012.pdf
- 4.Cloud Security Alliance: Cloud Controls Matrix (2014). https://cloudsecurityalliance.org/research/ccm/
- 5.Cloud Security Alliance: CloudTrust Protocol (2016). https://cloudsecurityalliance.org/research/ctp
- 6.Distributed Management Task Force, Inc. (DMTF): Cloud auditing data federation (CADF) - data format and interface definitions specification (2014). http://www.dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
- 7.Doelitzscher, F., Rübsamen, T., Karbe, T., Reich, C., Clarke, N.: Sun behind clouds - on automatic cloud security audits and a cloud audit policy language. Int. J. Adv. Netw. Serv. 6(1&2) (2013)Google Scholar
- 8.Kertesz, A., Kecskemeti, G., Oriol, M., Kotcauer, P., Acs, S., Rodríguez, M., Mercè, O., Marosi, A., Marco, J., Franch, X.: Enhancing federated cloud management with an integrated service monitoring approach. J. Grid Comput. 11(4), 699–720 (2013). http://dx.doi.org/10.1007/s10723-013-9269-0
- 9.Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., Leaf, D.: Nist cloud computing reference architecture (2011). http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505
- 10.Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., Villari, M.: A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In: 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum (IPDPSW), pp. 1510–1517, May 2011Google Scholar
- 11.Microsoft Developer Network: The Stride Threat Model (2014). https://msdn.microsoft.com/en-US/library/ee823878(v=cs.20).aspx
- 12.Muller, C., Oriol, M., Rodriguez, M., Franch, X., Marco, J., Resinas, M., Ruiz-Cortes, A.: Salmonada: a platform for monitoring and explaining violations of WS-agreement-compliant documents. In: 2012 ICSE Workshop on Principles of Engineering Service Oriented Systems (PESOS), pp. 43–49, June 2012Google Scholar
- 13.Povedano-Molina, J., Lopez-Vega, J.M., Lopez-Soler, J.M., Corradi, A., Foschini, L.: Dargos: a highly adaptable and scalable monitoring architecture for multi-tenant clouds. Future Gener. Comput. Syst. 29(8), 2041–2056 (2013). http://www.sciencedirect.com/science/article/pii/S0167739X13000824
- 14.Rizvi, S., Ryoo, J., Liu, Y., Zazworsky, D., Cappeta, A.: A centralized trust model approach for cloud computing. In: 2014 23rd Wireless and Optical Communication Conference (WOCC), pp. 1–6, May 2014Google Scholar
- 15.Rübsamen, T., Reich, C.: Supporting cloud accountability by collecting evidence using audit agents. In: 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom), vol. 1, pp. 185–190, December 2013Google Scholar
- 16.Rübsamen, T., Hölscher, D., Reich, C.: Towards auditing of cloud provider chains using cloudtrust protocol. In: Proceedings of the 6th International Conference on Cloud Computing and Service Science (CLOSER 2016), pp. 83–94. SciTePress (2016)Google Scholar
- 17.Rübsamen, T., Pulls, T., Reich, C.: Secure evidence collection and storage for cloud accountability audits. In: CLOSER 2015 - Proceedings of the 5th International Conference on Cloud Computing and Services Science, Lisbon, Portugal, 20–22 May 2015. SciTePress (2015)Google Scholar
- 18.Rübsamen, T., Reich, C.: An architecture for cloud accountability audits. In: Baden-Württemberg Center of Applied Research Symposium on Information and Communication Systems, SInCom 2014 (2014)Google Scholar
- 19.Saleh, M.: Construction of agent-based trust in cloud infrastructure. In: 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC), pp. 941–946, December 2014Google Scholar
- 20.Scientific Working Groups on Digital Evidence, Imaging Technology: SWGDE and SWGIT Digital and Multimedia Evidence Glossary (2015). https://www.swgde.org/documents/Current%20Documents/2015-05-27%20SWGDE-SWGIT%20Glossary%20v2.8