Cloud & SOA Application Security as a Service

  • Ulrich Lang


This paper introduces the concept of moving security and compliance policy automation for Cloud applications and mashups into the Cloud. This way, Cloud applications and mashups can be protected more seamlessly within the Cloud computing paradigm, and the secure software development lifecycle for Cloud applications is improved and simplified. The policy automation aspects covered in this paper include policy configuration, technical policy generation using model-driven security, application authorization management, and incident reporting. Policy configuration is provided as a subscription-based Cloud service to application development tools, and technical policy generation, enforcement and monitoring is embedded into Cloud application development and runtime platforms. OpenPMF Security & Compliance as a Service (“ScaaS”), a reference implementation using ObjectSecurity OpenPMF, is also presented. The paper argues that security and compliance policy management for agile distributed application landscapes such as Cloud mashups needs to be model-driven and automated in order to be agile, manageable, reliable, and scalable.


Cloud Computing Cloud Service Cloud Service Provider Cloud Application Cloud Computing Paradigm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Alford, Ted and Morton, Gwen. The Economics of Cloud Computing: Addressing the Benefits of Infrastructure in the Cloud, Booz Allen Hamilton, 2009Google Scholar
  2. Bernard Golden, The Case Against Cloud Computing, January 2009,
  3. CCRA, Common Criteria v3., 2006.
  4. Cloud Security Alliance. Security Guidance for Critical areas of Focus in Cloud Computing V2.1, December 2009Google Scholar
  5. Davis, M. et al. SOA Information Assurance Concerns (presentation), ISSA/The Security Network. 2008., ISSA/SecurityNetwork Cyber Security Collaboration Summit (
  6. US Department of Defense. Department of Defense Architecture Framework (DoDAF). 2007.
  7. Forrester Research, Enterprise And SMB Hardware Survey, North America And Europe, Q3 2009Google Scholar
  8. Heiser, Jay and Nicolett, Mark. Assessing the Security Risks of Cloud Computing, Gartner, June 2008, (ID: G00157782)Google Scholar
  9. Wagner, R. et al. (Gartner, Inc.). Cool Vendors in Application Security and Authentication, 2008” (G00156005). 2008.
  10. Plummer, Daryl and Bittman, Thomas, et al. Cloud Computing: Defining and Describing an Emerging Phenomenon. 17 June 2008 (ID: G00156220)Google Scholar
  11. Intalio, Intalio Website,, 2010
  12. Karp, Alan H.; Haury, Harry; Davis, Michael H. From ABAC to ZBAC: The Evolution of Access Control Models. 2009. (HPL-2009-30)Google Scholar
  13. ObjectSecurity. Model Driven Security blog,
  14. Lang, Ulrich and Schreiner, Rudolf. Developing Secure Distributed Systems with CORBA. Artech House, 288 pages, February 2002, ISBN 1-58053-295-0Google Scholar
  15. Lang, Ulrich and Schreiner, Rudolf. SOA Security Concerns and Recommendations, (PDF eBook v2.0), December 2008 (based on the Secure SOA project Scholar
  16. Lang, Ulrich and Schreiner, Rudolf. Security Policy Management with Model Driven Security - A new security management approach applied to SOA (PDF eBook v2.0), November 2009Google Scholar
  17. Lang, Ulrich and Schreiner, Rudolf. Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscapes. The 1st ACM Workshop on Information Security Governance, November 13, 2009, Hyatt Regency Chicago, Chicago, USAGoogle Scholar
  18. Lang, Ulrich and Schreiner, Rudolf. Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscape (PDF eBook), June 2009Google Scholar
  19. Lang, Ulrich and Schreiner, Rudolf. Cloud Application Security, January 2010, (PDF eBook)Google Scholar
  20. The NIST Definition of Cloud Computing Authors: Peter Mell and Tim Grance Version 15, 10-7-09 National Institute of Standards and Technology, Information Technology Laboratory,
  21. UK Ministry of Defence. The MOD Architecture Framework Version 1.2. 2008.
  22. OASIS Consortium (editor: Moses, Tim). eXtensible Access Control Markup Language (XACML) Version 2.0. 1 Feb 2005 (ID: oasis-access_control-xacml-2.0-core-spec-os)Google Scholar
  23. ObjectSecurity. ObjectSecurity OpenPMF website,
  24. Watson, A., and al. Object Management Group Overview and guide to OMG’s architecture, 2003., document omg/03-06-01 (MDA Guide V1.0.1)
  25. Open Crowd, Cloud Computing Taxonomy, 2010 (
  26. Ritter, Tom, and Schreiner, Rudolf, and Lang, Ulrich. Integrating Security Policies via Container Portable Interceptors in IEEE Distributed Systems Online, vol. 7, no. 7, 2006, art. no. 0607-o7001 (Best Paper Award, ARM2005).Google Scholar
  27. UK Government, Government ICT Strategy, Smarter, cheaper, greener (p23ff), 2010, (

Copyright information

© Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH 2011

Authors and Affiliations

  • Ulrich Lang
    • 1
  1. 1.St John’s Innovation CentreCambridgeUK

Personalised recommendations