Abstract
Organizations increasingly adopt or consider adopting external services hoping for higher flexibility and reduced costs. However, currently existing deficiencies of processes and tools force service consumers to renounce from the expected advantages and to trade off profitability against security. These security and compliance concerns are predominately due to negligence or manual resolution of security policy and configuration dependencies, caused by distinct terminologies, languages and tools used at both the service provider and service customer. To overcome these kind of problems in the collaborative cross–organizational security management, we have developed CoSeRMaS, a collaborative and semi–automated tool to manage, define and validate inter- and cross–organizational security requirements. This paper introduces the CoSeRMaS prototype and gives an overview of the features that have been developed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Motahari-Nezhad, H.: Outsourcing business to cloud computing services: Opportunities and challenges. In: 2010 4th IEEE International Conference on Digital Ecosystems and Technologies (DEST), vol. 4, pp. 91–112 (2010)
Weinhardt, C., Anandasivam, A., Blau, B., Borissov, N., Meinl, T., Michalk, W., Stößer, J.: Cloud Computing – A Classification, Business Models, and Research Directions. Business & Information Systems Engineering 1(5), 391–399 (2009)
Thalmann, S., Bachlechner, D., Demetz, L., Maier, R.: Challenges in Cross-Organizational Security Management. In: 2012 45th Hawaii International Conference on System Science (HICSS), pp. 5480–5489 (2012)
Kandukuri, B.R., Ramakrishna Paturi, V., Rakshit, A.: Cloud security issues. In: Proceedings of the 2009 IEEE International Conference on Services Computing, SCC 2009, pp. 517–520. IEEE Computer Society, Washington, DC (2009)
Hofmann, P., Woods, D.: Cloud computing: the limits of public clouds for business applications. IEEE Internet Computing 14(6), 90–93 (2010)
Takabi, H., Joshi, J., Ahn, G.: Security and privacy challenges in cloud computing environments. IEEE Security & Privacy 8, 25–31 (2010)
Racz, N., Panitz, J., Amberg, M.: Governance, risk & compliance (grc) status quo and software use: Results from a survey among large enterprises. In: Proceedings of the Australasian Conference on Information Systems, vol. (21), pp. 337–347 (2010)
Kantarcioglu, M., Bensoussan, A., (Celine) Hoe, S.R.: Impact of security risks on cloud computing adoption. In: 2011 49th Annual Allerton Conference on Communication, Control, and Computing (Allerton), vol. 49, pp. 670–674 (2011)
Shaikh, F., Haider, S.: Security threats in cloud computing. In: Proceedings of the 2011 International Conference for Internet Technology and Secured Transactions (ICITST), pp. 11–14 (December 2011)
Jing, X., Jian-Jun, Z.: A Brief Survey on the Security Model of Cloud Computing. In: 2010 Ninth International Symposium on Distributed Computing and Applications to Business, Engineering and Science, vol. 9, pp. 475–478 (2010)
Guo, Z., Song, M., Song, J.: A Governance Model for Cloud Computing. In: Proceedings of the 2010 International Conference on Management and Service Science (MASS), vol. (2007) (2010)
Alhamad, M., Dillon, T., Chang, E.: Service Level Agreement for Distributed Services: A Review. In: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, vol. 9, pp. 1051–1054 (2011)
Wang, M., Wu, X., Zhang, W., Ding, F., Zhou, J., Pei, G.: A Conceptual Platform of SLA in Cloud Computing. In: 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing, vol. 9, pp. 1131–1135 (2011)
Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., Zagorodnov, D.: The eucalyptus open-source cloud-computing system. In: 9th IEEE/ACM International Symposium on Cluster Computing and the Grid, CCGRID 2009, pp. 124–131. IEEE (2009)
Santos, N., Gummadi, K.P., Rodrigues, R.: Towards trusted cloud computing. In: Proceedings of the 2009 Conference on Hot topics in Cloud Computing, p. 3. USENIX Association (2009)
Lenk, A., Klems, M., Nimis, J., Tai, S., Sandholm, T.: What’s inside the Cloud? An architectural map of the Cloud landscape. In: Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing, pp. 23–31 (2009)
Zhang, L.J., Zhou, Q.: CCOA: Cloud computing open architecture. In: IEEE International Conference on Web Services, pp. 607–616. IEEE (2009)
Sedaghat, M., Hernandez, F., Elmroth, E.: Unifying Cloud Management: Towards Overall Governance of Business Level Objectives. In: 2011 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, vol. 11, pp. 591–597 (2011)
Ahmad, R., Janczewski, L.: Governance Life Cycle Framework for Managing Security in Public Cloud: From User Perspective. In: 2011 IEEE 4th International Conference on Cloud Computing, vol. 4, pp. 372–379 (2011)
He, Q., Otto, P., Antón, A.I., Jone, L.: Ensuring compliance between policies, requirements and software design: A case study. In: Fourth IEEE International Workshop on Information Assuranc, vol. 4, pp. 209–221 (2006)
Basin, D., Klaedtke, F., Müller, S.: Monitoring Security Policies with Metric First-order Temporal Logic. Control 12, 23–33 (2010)
Lam, P.E., Mitchell, J.C., Sundaram, S.: A formalization of HIPAA for a medical messaging system. In: Fischer-Hübner, S., Lambrinoudakis, C., Pernul, G. (eds.) TrustBus 2009. LNCS, vol. 5695, pp. 73–85. Springer, Heidelberg (2009)
Tarantino, A.: Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices. Wiley (2008)
Bagranoff, N.A., Henry, L.: Choosing and Using Sarbanes-Oxley Software. Information Systems Control Journal 2, 49–51 (2005)
Spies, M.: A software assurance evidence approach to cloud security. In: 2011 22nd International Workshop on DEXA, pp. 39–43. IEEE (2011)
Racz, N., Weippl, E., Bonazzi, R.: IT Governance, Risk & Compliance (GRC) Status Quo and Integration: An Explorative Industry Case Study. In: 2011 IEEE World Congress on Services (SERVICES), pp. 429–436. IEEE (2011)
Racz, N., Weippl, E., Seufert, A.: Governance, Risk & Compliance (GRC) Software-An Exploratory Study of Software Vendor and Market Research Perspectives. In: 2011 44th Hawaii International Conference on System Science, pp. 1–10. IEEE (2011)
Sadiq, S., Governatori, G.: A methodol. In: Handbook of Business Process Management. Springer (2009)
Breu, R., Farwick, M., Innerhofer-Oberperfler, F., Brunner, M., Julisch, K., Karjoth, G.: D2.1 A Framework for Business Level Policies. Technical Report 257129, PoSecCo project (project no 257129) FP7 (2011)
Innerhofer-Oberperfler, F., Hafner, M., Breu, R.: Living Security - Collaborative Security Management in a Changing World. Parallel and Distributed Computing and Networks/720: Software Engineering 23, 467–489 (2011)
Breu, R.: Ten Principles for Living Models - A Manifesto of Change-Driven Software Engineering. In: 2010 International Conference on Complex, Intelligent and Software Intensive Systems, vol. 12, pp. 1–8 (2010)
Sillaber, C., Kalb, P., Breu, R.: D2.3 Software for a model-driven policy design. Technical report, PoSecCo project (project no 257129), 7th Framework Programme for R&D (FP7) (2012)
Brunner, M.: Specification and architecture for a tool to manage business security requirements based on enterprise architecture management. Master’s thesis, University of Innsbruck, Austria (2013)
Sillaber, C., Breu, R.: Managing legal compliance through security requirements across service provider chains: A case study on the German Federal Data Protection Act. In: Informatik 2012: Proceedings der GI/GMDS-Jahrestagung, pp. 1306–1317. Gesellschaft fuer Informatik (GI) (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sillaber, C., Brunner, M., Breu, R. (2013). Towards an Architecture for Collaborative Cross–Organizational Security Requirements Management. In: Abramowicz, W. (eds) Business Information Systems. BIS 2013. Lecture Notes in Business Information Processing, vol 157. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38366-3_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-38366-3_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38365-6
Online ISBN: 978-3-642-38366-3
eBook Packages: Computer ScienceComputer Science (R0)