Advertisement

Security and Compliance in Clouds

  • Kristian Beckers
  • Jan Jürjens

Abstract

The use of cloud computing services is an attractive opportunity for companies to improve IT Services and to achieve almost unlimited scalability of the IT infrastructure, and all of this at a significantly reduced cost than this is possible with internal resources. However, the use of a cloud service requires a company to trust the vendor to deal with the company’s secret data. In order to check the compliance demands for the required security level, the business processes of the cloud vendor have to be inspected thoroughly. This is a time consuming and expensive task which has to be repeated continuously. Furthermore, company data is increasingly subject to compliance checks for legal regulations that differ in each geographical location, for instance the Sarbanes-Oxley Act (SOX) or the HIPPAA Act in the health domain in the U.S., or Basel II, Solvency II in Europe. We report on ongoing research about an automated compliance analysis method specifically for the analysis of the business processes of a cloud service provider. Nowadays, customers of cloud services can only inquire the existence of single security features like a firewall. The review of the entire security concept on a process level is seldom possible.

Keywords

Cloud Computing Business Process Cloud Service Cloud System Eclipse Modelling Framework 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Armbrust, M.; Fox, A.; Griffith, R.; Joseph, A.D.; Katz, R.H.; Konwinski, A.; Lee, G.; Patterson, D.A.; Rabkin, Ariel; Stoica, Ion; Zaharia, M.: Above the Clouds: A Berkeley View of Cloud Computing, technical report, UCB/EECS-2009-28, EECS Department University of California, Berkeley, 2009Google Scholar
  2. Bartsch, M.: Cloud Security, TüV Informationstechnik GmbH, Unternehmensgruppe TÜV NORD, Präsentation, 2009Google Scholar
  3. Beres, Y.; Baldwin, A.; Shiu, S.: Model-Based Assurance of Security Controls, technical report HPL-2008, HP Labs Bristol, 2008.Google Scholar
  4. Barth, A.; Datta, A.; Mitchell, J. C.; Nissenbaum, H.: Privacy and Contextual Integrity: Framework and Applications SP ‚06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, IEEE Computer Society, 2006, 184–198Google Scholar
  5. Bertino, E.; Paci, F.; Ferrini, R.; Shang, N.: Privacy-preserving Digital Identity Management for Cloud Computing. IEEE Data Eng. Bull., 2009, 32, 21–27Google Scholar
  6. Bierekoven, C.; Rödl & Partner: Die Herausforderung für die Daten- und Rechtssicherheit, GI Workshop „Cloud-Computing“, 2009Google Scholar
  7. Bertino, E.; Paci, F.; Shang, N.; Ferrini, R.: Privacy-preserving Digital Identity Management for Cloud Computing, IEEE Data Eng, Bull, 32(1), 21–27, 2009Google Scholar
  8. The Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing, homepage,http://www.cloudsecurityalliance.org/, 2010
  9. The Cloud Security Alliance: Top Threats to Cloud Computing, homepage,http://www.cloudsecurityalliance.org/, 2010
  10. Cavoukian, A.: Privacy in the clouds, Identity Journal Limited, Springer, 2008Google Scholar
  11. Clauss, S.; Köhntopp, M.: Identity management and its support of multilateral security Comp. Netw., Elsevier North-Holland, Inc., 2001, 37, 205–219Google Scholar
  12. Essoh, A.D.: IT-Grundschutz und Cloud Computing, SECMGT Workshop, BSI, 2009Google Scholar
  13. Hafner, M., Alam, M. & Breu, R. (2006) Towards a MOF/QVT-based Domain Architecture for Model Driven Security. Proceedings of the 9th International Conference on Model Driven Engineering Languages and Systems (Models 2006). Geneva, Italy.Google Scholar
  14. Hansen, M.; Schwartz, A.; Cooper, A.: Privacy and Identity Management IEEE Security and Privacy, IEEE Educational Activities Department, 2008, 6, 38–45Google Scholar
  15. Houmb,S.H.; Georg, G.; France, R.; Bieman, J.; Jürjens, J.: Cost-Benefit Trade-Off Analysis using BBN for Aspect-Oriented Risk-Driven Development, ICECCS 2005, IEEE Computer Society, pp 195–204Google Scholar
  16. Höhn, S.; Jürjens, J.: Rubacon: automated support for model-based compliance engineering, 30th International Conference on Software Engineering (ICSE 2008), ACM 2008, pp. 875–878Google Scholar
  17. IDC-Study: Cloud Computing in Deutschland ist noch nicht angekommen http://www.idc.com/germany/press/presse_cloudcomp.jsp, 2009
  18. Jaeger, T.; Schiffman, J.: Outlook: Cloudy with a Chance of Security Challenges and Improvements IEEE Security and Privacy, IEEE Computer Society, 2010, 8, 77–80Google Scholar
  19. Jürjens, J.: Principles for Secure Systems Design, PhD thesis, 2002, Oxford UniversityGoogle Scholar
  20. Jürjens, J., Secure Systems Development with UML, Springer Academic Publishers, 2005.Google Scholar
  21. Lodderstedt, T., Basin, D.; Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. IN JÉZÉQUEL, J.-M., HUSSMANN, H. & COOK, S. (Eds.) 5th International Conference on the Unified Modeling Language. Springer, 2002Google Scholar
  22. Mather, T.; Kumaraswamy, S.; Latif, S.: Cloud Security and Privacy, O‘Reilly, 2009Google Scholar
  23. Mell, P.: Grance, T.: Effectively and Securely Using the Cloud Computing Paradigm, NIST, Presentation, 2009Google Scholar
  24. Mont, M. C.; Pearson, S.; Bramhall, P.: Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services DEXA ‚03: Proceedings of the 14th International Workshop on Database and Expert Systems Applications, IEEE Computer Society, 2003, 377Google Scholar
  25. Pfitzmann, B. & Waidner, M.: Federated Identity-Management Protocols - Where User Authentication Protocols May Go-In 11th Cambridge International Workshop on Security Protocols, Springer-Verlag, 2003, 153–174Google Scholar
  26. Streitberger, W.; Ruppel, A.: Cloud Computing Sicherheit – Schutzziele.Taxonomie.Marktübersicht, Fraunhofer Institute for Secure Information Technology SIT, 2009Google Scholar

Copyright information

© Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH 2011

Authors and Affiliations

  • Kristian Beckers
    • 1
  • Jan Jürjens
    • 2
    • 3
  1. 1.Project Group APEXFraunhofer ISSTDortmundGermany
  2. 2.Project Group APEXFraunhofer ISSTDortmundGermany
  3. 3.Software Engineering (LS 14), Fak.Informatics, TU DortmundDortmundGermany

Personalised recommendations