Abstract
This chapter presents a certification-based assurance solution for the cloud, which has been developed as part of the FP7 EU Project CUMULUS. It provides an overview of the CUMULUS certification models, which are at the basis of the certification processes implemented and managed by the CUMULUS certification framework. Certification models drive the collection of evidence used by the framework to assess whether the system under certification supports required security properties, and generate and manage certificates proving compliance to such properties (certification process). Collected evidence can be of different types (i.e., test-based, monitoring-based, and trusted computing-based evidence) and addresses the peculiarities of cloud environments. The framework also supports continuous and incremental evaluation of services in the production cloud.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Anisetti M, Ardagna CA, Damiani E (2015) A test-based incremental security certification scheme for cloud-based systems. In: Proceedings of the 12th IEEE international conference on services computing (SCC 2015), New York, June–July 2015
Anisetti M, Ardagna CA, Damiani E (2014) A certification-based trust model for autonomic cloud computing systems. In: Proceedings of the IEEE conference on cloud autonomic computing (CAC 2014), London, Sept 2014
CUMULUS Consortium (2015) Deliverable D5.3 – CUMULUS framework architecture v2. Available at http://www.cumulus-project.eu/index.php/public-deliverables
Harjani R, Arjona M, Espinar J, Maña A, Muñoz A, Koshutanski H (2014) An integrated framework for multi-layer certification-based assurance. In: Proceedings of the 8th layered assurance workshop (LAW 2014), New Orleans, Dec 2014
CUMULUS Consortium (2015) Deliverable D4.3 – CUMULUS-aware engineering process specification v2. Available at http://www.cumulus-project.eu/index.php/public-deliverables
CUMULUS Consortium (2015) Deliverable D3.3 – certification mechanisms for incremental and hybrid certification. Available at http://www.cumulus-project.eu/index.php/public-deliverables
Trusted Computing Group, TPM main specification. http://www.trustedcomputinggroup.org/resources/tpm_main_specification
CUMULUS Consortium (2015) Deliverable D2.4 – final CUMULUS certification models. Available at http://www.cumulus-project.eu/index.php/public-deliverables
CUMULUS Consortium (2013) Deliverable D2.1 – security-aware SLA specification language and cloud security dependency model. Available at http://www.cumulus-project.eu/index.php/public-deliverables
Spanoudakis G, Kloukinas C, Mahbub K (2009) The serenity runtime monitoring framework. In: Spanoudakis G, Kokolakis S (eds) Security and dependability for ambient intelligence. Springer, New York/US, pp 213–237
Shanahan M The event calculus explained (1999) In: Wooldridge MJ, Veloso M (eds) Artificial intelligence today. Springer, Berlin Heidelberg, Germany, pp 409–430
Krotsiani M, Spanoudakis G, Mahbub K (2013) Incremental certification of cloud services. In: Proceedings of the 7th international conference on emerging security information, systems and technologies (SECURWARE-2013), Barcelona, Aug 2013
Krotsiani M, Spanoudakis G (2014) Continuous certification of non-repudiation in cloud storage services. In: Proceedings of the 4th IEEE international symposium on trust and security in cloud computing (IEEE TSCloud 2014), Beijing, Sept 2014
Irvine C, Levin T (1999) Toward a taxonomy and costing method for security services. In: Proceedings of the 15th annual conference on computer security applications (ACSAC 1999), Phoenix, Dec 1999
Chung L, Nixon BA (1995) Dealing with non-functional requirements: three experimental studies of a process-oriented approach. In: Proceedings of the 17th international conference on software engineering (ICSE 1995), Seattle, Apr 1995
Chung L, Leite JCP (2009) Conceptual modeling: foundations and applications. chapter on non-functional requirements in software engineering. Springer, Berlin/Heidelberg, pp 363–379
Anisetti M, Ardagna CA, Damiani E, Saonara F (2013) A test-based security certification scheme for web services. ACM Trans Web (TWEB) 7(2):1–41
Trusted Computing Group (2011) Virtualized trusted platform architecture specification, Sept 2011. http://www.trustedcomputinggroup.org/resources/virtualized_trusted_platform_architecture_specification
Katopodis S, Spanoudakis G, Mahbub K (2014) Towards hybrid cloud service certification models. In: Proceedings of the IEEE international conference on services computing (SCC 2014), Anchorage, June–July 2014
Anisetti M, Ardagna CA, Damiani E (2013) Security certification of composite services: a test-based approach. In: Proceedings of the 20th IEEE international conference on Web services (ICWS 2013), San Francisco, June–July 2013
Pearson S (2011) Toward accountability in the cloud. IEEE Internet Comput 15(4):64–69
Rasheed H (2013) Data and infrastructure security auditing in cloud computing environments. Int J Inf Manag 34(3):364–368
Doelitzscher F, Reich C, Knahl M, Passfall A, Clarke N (2012) An agent based business aware incident detection system for cloud environments. J Cloud Comput 1(1):1–19
Rajkumar MN, Kumar VV, Sivaramakrishnan R (2013) Efficient integrity auditing services for cloud computing using raptor codes. In: Proceedings of the ACM international conference on research in adaptive and convergent systems (RACS 2013), Montreal, Oct 2013
Yang K, Jia X (2013) An efficient and secure dynamic auditing protocol for data storage in cloud computing. IEEE Trans Parallel Distrib Syst 24(9):1717–1726
Wang B, Li B, Li H (2014) Oruta: privacy-preserving public auditing for shared data in the cloud. IEEE Trans Cloud Comput 2(1):43–56
CSA (2014) CloudAudit: automated audit, assertion, assessment, and assurance. https://cloudsecurityalliance.org/research/cloudaudit/
Wieder P, Butler JM, Theilmann W, Yahyapour R (2011) Service level agreements for cloud computing. Springer, Dortmund, Germany
Ye L, Zhang H, Shi J, Du X (2012) Verifying cloud service level agreement. In: Proceedings of IEEE GLOBECOM 2012, Anaheim, Dec 2012
Casalicchio E, Silvestri L (2013) Mechanisms for sla provisioning in cloud-based service providers. Comput Netw 57(3):795–810
Marinescu DC, Paya A, Morrison JP, Healy PD (2013) An auction-driven self-organizing cloud delivery model. CoRR, abs/1312.2998
USA Department of Defence (1985) Department Of defense trusted computer system evaluation criteria, Dec 1985
Herrmann DS (2002) Using the common criteria for IT security evaluation. Auerbach publications/CRC press, London
Kourtesis D, Ramollari E, Dranidis D, Paraskakis I (2010) Increased reliability in SOA environments through registry-based conformance testing of web services. Prod Plan Control 21(2):130–144
Ryu SH, Casati F, Skogsrud H, Betanallah B, Saint-Paul R (2008) Supporting the dynamic evolution of Web service protocols in service-oriented architectures. ACM Trans Web 2(2):13:1–13:46
Papazoglou MP, Andrikopoulos V, Benbernou S (2011) Managing evolving services. IEEE Softw 28(3):49–55
Grobauer B, Walloschek T, Stocker E (2011) Understanding cloud computing vulnerabilities. IEEE Secur Priv 9(2):50–57
Sunyaev A, Schneider S (2013) Cloud services certification. Commun ACM 56(2):33–36
Khan KM, Malluhi Q (2010) Establishing trust in cloud computing. IT Prof 12(5):20–27
Bertholon B, Varrette S, Bouvry P (2011) Certicloud: a novel tpm-based approach to ensure cloud iaas security. In: Proceedings of the 4th IEEE international conference on cloud computing (CLOUD 2011), Washington, July 2011
Acknowledgements
The work presented in this chapter has been partially funded by the EU FP7 project CUMULUS (grant no 318580).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Anisetti, M. et al. (2015). Security Certification for the Cloud: The CUMULUS Approach. In: Zhu, S., Hill, R., Trovati, M. (eds) Guide to Security Assurance for Cloud Computing. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-25988-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-25988-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25986-4
Online ISBN: 978-3-319-25988-8
eBook Packages: Computer ScienceComputer Science (R0)