Abstract
The use of cloud computing services is an attractive opportunity for companies to improve IT Services and to achieve almost unlimited scalability of the IT infrastructure, and all of this at a significantly reduced cost than this is possible with internal resources. However, the use of a cloud service requires a company to trust the vendor to deal with the company’s secret data. In order to check the compliance demands for the required security level, the business processes of the cloud vendor have to be inspected thoroughly. This is a time consuming and expensive task which has to be repeated continuously. Furthermore, company data is increasingly subject to compliance checks for legal regulations that differ in each geographical location, for instance the Sarbanes-Oxley Act (SOX) or the HIPPAA Act in the health domain in the U.S., or Basel II, Solvency II in Europe. We report on ongoing research about an automated compliance analysis method specifically for the analysis of the business processes of a cloud service provider. Nowadays, customers of cloud services can only inquire the existence of single security features like a firewall. The review of the entire security concept on a process level is seldom possible.
This work was supported through the Fraunhofer-Attract project “Architectures for Auditable Business Process Execution (APEX)”
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Armbrust, M.; Fox, A.; Griffith, R.; Joseph, A.D.; Katz, R.H.; Konwinski, A.; Lee, G.; Patterson, D.A.; Rabkin, Ariel; Stoica, Ion; Zaharia, M.: Above the Clouds: A Berkeley View of Cloud Computing, technical report, UCB/EECS-2009-28, EECS Department University of California, Berkeley, 2009
Bartsch, M.: Cloud Security, TüV Informationstechnik GmbH, Unternehmensgruppe TÜV NORD, Präsentation, 2009
Beres, Y.; Baldwin, A.; Shiu, S.: Model-Based Assurance of Security Controls, technical report HPL-2008, HP Labs Bristol, 2008.
Barth, A.; Datta, A.; Mitchell, J. C.; Nissenbaum, H.: Privacy and Contextual Integrity: Framework and Applications SP ‚06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, IEEE Computer Society, 2006, 184–198
Bertino, E.; Paci, F.; Ferrini, R.; Shang, N.: Privacy-preserving Digital Identity Management for Cloud Computing. IEEE Data Eng. Bull., 2009, 32, 21–27
Bierekoven, C.; Rödl & Partner: Die Herausforderung für die Daten- und Rechtssicherheit, GI Workshop „Cloud-Computing“, 2009
Bertino, E.; Paci, F.; Shang, N.; Ferrini, R.: Privacy-preserving Digital Identity Management for Cloud Computing, IEEE Data Eng, Bull, 32(1), 21–27, 2009
The Cloud Audit A6, http://www.cloudaudit.org/page3/page3.html, 2010
The Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing, homepage,http://www.cloudsecurityalliance.org/, 2010
The Cloud Security Alliance: Top Threats to Cloud Computing, homepage,http://www.cloudsecurityalliance.org/, 2010
Cavoukian, A.: Privacy in the clouds, Identity Journal Limited, Springer, 2008
Clauss, S.; Köhntopp, M.: Identity management and its support of multilateral security Comp. Netw., Elsevier North-Holland, Inc., 2001, 37, 205–219
Essoh, A.D.: IT-Grundschutz und Cloud Computing, SECMGT Workshop, BSI, 2009
Hafner, M., Alam, M. & Breu, R. (2006) Towards a MOF/QVT-based Domain Architecture for Model Driven Security. Proceedings of the 9th International Conference on Model Driven Engineering Languages and Systems (Models 2006). Geneva, Italy.
Hansen, M.; Schwartz, A.; Cooper, A.: Privacy and Identity Management IEEE Security and Privacy, IEEE Educational Activities Department, 2008, 6, 38–45
Houmb,S.H.; Georg, G.; France, R.; Bieman, J.; Jürjens, J.: Cost-Benefit Trade-Off Analysis using BBN for Aspect-Oriented Risk-Driven Development, ICECCS 2005, IEEE Computer Society, pp 195–204
Höhn, S.; Jürjens, J.: Rubacon: automated support for model-based compliance engineering, 30th International Conference on Software Engineering (ICSE 2008), ACM 2008, pp. 875–878
IDC-Study: Cloud Computing in Deutschland ist noch nicht angekommen http://www.idc.com/germany/press/presse_cloudcomp.jsp, 2009
Jaeger, T.; Schiffman, J.: Outlook: Cloudy with a Chance of Security Challenges and Improvements IEEE Security and Privacy, IEEE Computer Society, 2010, 8, 77–80
Jürjens, J.: Principles for Secure Systems Design, PhD thesis, 2002, Oxford University
Jürjens, J., Secure Systems Development with UML, Springer Academic Publishers, 2005.
Lodderstedt, T., Basin, D.; Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. IN JÉZÉQUEL, J.-M., HUSSMANN, H. & COOK, S. (Eds.) 5th International Conference on the Unified Modeling Language. Springer, 2002
Mather, T.; Kumaraswamy, S.; Latif, S.: Cloud Security and Privacy, O‘Reilly, 2009
Mell, P.: Grance, T.: Effectively and Securely Using the Cloud Computing Paradigm, NIST, Presentation, 2009
Mont, M. C.; Pearson, S.; Bramhall, P.: Towards Accountable Management of Identity and Privacy: Sticky Policies and Enforceable Tracing Services DEXA ‚03: Proceedings of the 14th International Workshop on Database and Expert Systems Applications, IEEE Computer Society, 2003, 377
Pfitzmann, B. & Waidner, M.: Federated Identity-Management Protocols - Where User Authentication Protocols May Go-In 11th Cambridge International Workshop on Security Protocols, Springer-Verlag, 2003, 153–174
Streitberger, W.; Ruppel, A.: Cloud Computing Sicherheit – Schutzziele.Taxonomie.Marktübersicht, Fraunhofer Institute for Secure Information Technology SIT, 2009
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH
About this chapter
Cite this chapter
Beckers, K., Jürjens, J. (2011). Security and Compliance in Clouds. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2010 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9788-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9788-6_9
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-1438-8
Online ISBN: 978-3-8348-9788-6
eBook Packages: EngineeringEngineering (R0)