Requirements Engineering

, Volume 18, Issue 4, pp 299–319 | Cite as

Evaluating cloud deployment scenarios based on security and privacy requirements

  • Christos Kalloniatis
  • Haralambos Mouratidis
  • Shareeful Islam
Req. Engineering for Security, Privacy & Services in Cloud Environments


Migrating organisational services, data and application on the Cloud is an important strategic decision for organisations due to the large number of benefits introduced by the usage of cloud computing, such as cost reduction and on-demand resources. Despite, however, many benefits, there are challenges and risks for cloud adaption related to (amongst others) data leakage, insecure APIs and shared technology vulnerabilities. These challenges need to be understood and analysed in the context of an organisation’s security and privacy goals and relevant cloud computing deployment models. Although the literature provides a large number of references to works that consider cloud computing security issues, no work has been provided, to our knowledge, which supports the elicitation of security and privacy requirements and the selection of an appropriate cloud deployment model based on such requirements. This work contributes towards this gap. In particular, we propose a requirements engineering framework to support the elicitation of security and privacy requirements and the selection of an appropriate deployment model based on the elicited requirements. Our framework provides a modelling language that builds on concepts from requirements, security, privacy and cloud engineering, and a systematic process. We use a real case study, based on the Greek National Gazette, to demonstrate the applicability of our work.


Cloud Cloud deployment model Security requirements Privacy requirements Cloud migration 


  1. 1.
    Microsoft Technical Report (2009) Privacy in the cloud computing era, a Microsoft perspective. Microsoft Corp, RedmondGoogle Scholar
  2. 2.
    Islam S, Mouratidis H, Weippl E (2012) A goal-driven risk management approach to support security and privacy analysis of cloud-based system. In: Rosado DG, Mellado D, Fernández-Medina E, Piattini M (eds) Security engineering for cloud computing: approaches and tools. IGI Global Publication, HersheyGoogle Scholar
  3. 3.
    Version one survey results: cloud confusion amongst IT professionals. 24 June 2009
  4. 4.
    Pearson S, Benameur A (2010) Privacy, security and trust issues arising from cloud computing. In: 2nd IEEE International conference on cloud computing technology and science, IEEE Computer Society, UK, pp 693–702Google Scholar
  5. 5.
    Grobauer B, Walloschek T, Stocker E (2011) Understanding cloud computing vulnerabilities. IEEE Security Priv Mag 9(2):50–57CrossRefGoogle Scholar
  6. 6.
    Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13(3):241–255CrossRefGoogle Scholar
  7. 7.
    Houmb SH, Islam S, Knauss E, Jürjens J, Schneider K (2010) Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec. Requir Eng J 15(1):63–93CrossRefGoogle Scholar
  8. 8.
    Islam S, Mouratidis H, Kalloniatis C., Hudic A, Zechner L, (2012a). Model based process to support security and privacy requirements engineering. Int J Secur Softw Eng 3(3):1–22, IGI Global PublicationGoogle Scholar
  9. 9.
    Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng J 10(1):34–44CrossRefGoogle Scholar
  10. 10.
    Khajeh-Hosseini A, Sommerville I, Bogaerts J, Teregowda P (2011) Decision support tools for cloud migration in the enterprise. In: proceeding of IEEE 4th international conference on cloud computing. IEEE Computer SocietyGoogle Scholar
  11. 11.
    Baburajan R The rising cloud storage market opportunity strengthens vendors. infoTECH, August 24, 2011 Retrieved 2011-12-02
  12. 12.
    Kerravala Z, Yankee Group Migrating to the cloud is dependent infrastructure, Tech Target. Retrieved 2011-12-02
  13. 13.
    Voorsluys W, Broberg J, Buyya R (2011) Introduction to cloud computing. In: Buyya R, Broberg J, Goscinski A (eds) A cloud computing: principles and paradigms. Wiley, New York, pp 1–44 ISBN 978-0-470-88799-8CrossRefGoogle Scholar
  14. 14.
    Bruening PJ, Treacy BC (2009) Privacy & security law report: privacy, security issues raised by cloud computing. The Bureau of National Affairs, VirginiaGoogle Scholar
  15. 15.
    Yu E (1995) Modelling strategic relationships for process reengineering, PhD thesis, Department of computer science, University of Toronto, CanadaGoogle Scholar
  16. 16.
    Mouratidis H, Giorgini P (2006) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(2):285–309 © World Scientific Publishing CompanyCrossRefGoogle Scholar
  17. 17.
    Kavakli E, Gritzalis S, Kalloniatis C (2007) Protecting privacy in system design: the electronic voting case. Transform Gov People Process Policy 1(4):307–332CrossRefGoogle Scholar
  18. 18.
    Gong C, Liu J, Zhang Q, Chen H Gong Z (2010) The Characteristics of Cloud Computing. In: proceedings of the 2010 39th International Conference on Parallel Processing Workshops, IEEE Computer Society WashingtonGoogle Scholar
  19. 19.
    Mouratidis H, Kalloniatis C, Islam S,Huget MP, Gritzalis S (2012) Aligning security and privacy to support the development of secure information systems. J of Univers Comput Sci 18(12):1608–1627Google Scholar
  20. 20.
    Kalloniatis C, Kavakli E, Gritzalis S (2005) Dealing with privacy issues during the system design process In: Serpanos D et al. (eds), Proceedings of the ISSPIT’05 5th IEEE International symposium on signal processing and information technology. Dec 2005, Athens, Greece, IEEE CPS Conference Publishing Services pp 546–551Google Scholar
  21. 21.
    Kalloniatis C, Kavakli E, Gritzalis S, Methods for designing privacy aware information systems: a review, In: Chrysikopoulos V, Alexandris N, Douligeris C, Sioutas S (eds), Proceedings of the PCI 2009 13th Pan-Hellenic conference on informatics, Sept 2009, Corfu, Greece, IEEE CPS Conference Publishing Services pp.185–194Google Scholar
  22. 22.
    Islam S, Mouratidis H, Wagner S (2010) Toward a framework to elicit and manage security and privacy requirements from laws and regulation, In: Proceeding of requirements engineering: foundation for software quality(REFSQ), Lecture notes in computer science, Vol 6182/2010, pp 255–261Google Scholar
  23. 23.
    Massey AK, Otto PN, Hayward LJ, Antón AI (2010) Evaluating existing security and privacy requirements for legal compliance. Requir Eng J 15(1):119–137CrossRefGoogle Scholar
  24. 24.
    Mulazzani M, Schrittwieser S, Leithner M, Huber M, Weippl E (2011). Dark clouds on the horizon: using cloud storage as attack vector and online slack space. In: Proceedings of Usenix SecurityGoogle Scholar
  25. 25.
    Vivas JL, Agudo I, Lopez J (2011) A methodology for security assurance-driven system development. Requir Eng 16(1):55–73. doi: 10.1007/s00766-010-0114-8 CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London 2013

Authors and Affiliations

  • Christos Kalloniatis
    • 1
  • Haralambos Mouratidis
    • 2
  • Shareeful Islam
    • 2
  1. 1.Department of Cultural Technology and CommunicationUniversity of the AegeanMytileneGreece
  2. 2.School of Architecture, Computing and EngineeringUniversity of East LondonLondonUK

Personalised recommendations