Using Ontologies to Analyze Compliance Requirements of Cloud-Based Processes

  • Thorsten Humberg
  • Christian Wessel
  • Daniel Poggenpohl
  • Sven WenzelEmail author
  • Thomas Ruhroth
  • Jan Jürjens
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 453)


In recent years, the concept of cloud computing has seen a significant growth. The spectrum of available services covers most, if not all, aspects needed in existing business processes, allowing companies to outsource large parts of their IT infrastructure to cloud service providers. While this prospect might offer considerable economic advantages, it is hindered by concerns regarding information security as well as compliance issues. Relevant regulations are imposed by several sources, like legal regulations or standards for information security, amounting to an extend that makes it difficult to identify those aspects relevant for a given company. In order to support the identification of relevant regulations, we developed an approach to represent regulations in the form of ontologies, which can then be used to examine a given system for compliance requirements. Additional tool support is offered to check system models for certain properties that have been found relevant.


Cloud computing Compliance Business processes Risks Ontologies 



Parts of this research have been funded by the DFG project SecVolution (JU 2734/2-1 and SCHN 1072/4-1) which is part of the priority programme SPP 1593 “Design For Future - Managed Software Evolution”.

Other parts have been funded by BMBF grants 01IS11008C and 01IS11008D (SecureClouds).


  1. 1.
    Bundesamt für Sicherheit in der Informationstechnik: BSI-Grundschutz Katalog (2006)Google Scholar
  2. 2.
    van der Aalst, W., Reijers, H., Weijters, A., Vandongen, B., Alvesdemedeiros, A., Song, M., Verbeek, H.: Business process mining: an industrial application. Inf. Syst. 32(5), 713–732 (2007)CrossRefGoogle Scholar
  3. 3.
    W3C OWL Working Group: OWL 2 Web Ontology Language: Document Overview (Second Edition). W3C Recommendation, 11 December 2012.
  4. 4.
    Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P.F. (eds.): The Description Logic Handbook: Theory, Implementation, and Applications. Cambridge University Press, New York (2003)Google Scholar
  5. 5.
    ISO/IEC: ISO27001: Information Security Management System (ISMS) standard, October 2005.
  6. 6.
    Bundesanstalt für Finanzdienstleistungsaufsicht: Mindestanforderungen an das Risikomanagement - MaRisk, October 2012Google Scholar
  7. 7.
    Bundesrepublik Deutschland, vertreten durch das Bundesministerium der Justiz.: Bundesdatenschutzgesetz, December 1990Google Scholar
  8. 8.
    Bundesrepublik Deutschland, vertreten durch das Bundesministerium der Justiz.: Bürgerliches Gesetzbuch, August 1896Google Scholar
  9. 9.
  10. 10.
    Jürjens, J., Schneider, K.: Beyond one-shot security. In: Modelling and Quality in Requirements Engineering (Essays Dedicated to Martin Glinz on the Occasion of His 60th Birthday), Verlagshaus Monsenstein und Vannerdat, pp. 131–141 (2012)Google Scholar
  11. 11.
    Wolter, C., Menzel, M., Meinel, C.: Modelling security goals in business processes. In: Modellierung (2008)Google Scholar
  12. 12.
    Dixon, J., Jones, T.: Hype cycle for business process management. Technical report, Gartner Study (2011)Google Scholar
  13. 13.
    BITKOM: Cloud-Computing - Evolution in der Technik. Technical report, BITKOM (2009)Google Scholar
  14. 14.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: ARES (2009)Google Scholar
  15. 15.
    Gräuler, M., Martens, B.; Teuteberg, F.: IT-Sicherheitsmanagement im Cloud Computing - Entwicklung und Implementierung einer Ontologie. In: Proceedings zur INFORMATIK 2011 (2011)Google Scholar
  16. 16.
    Tsoumas, B., Gritzalis, D.: Towards an ontology-based security management. In: Proceedings of the 20th International Conference on Advanced Information Networking and Applications (AINA), vol. 1, pp. 985–992. IEEE (2006)Google Scholar
  17. 17.
    Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS ), p. 183. ACM Press, New York (2009)Google Scholar
  18. 18.
    Peschke, M., Hirsch, M., Jürjens, J., Braun, S.: Werkzeuggestützte Identifikation von IT-Sicherheitsrisiken. In: D-A-CH Security 2011 (2011)Google Scholar
  19. 19.
    Schneider, K., Knauss, E., Houmb, S., Islam, S., Jürjens, J.: Enhancing security requirements engineering by organizational learning. Requirements Eng., 1–22 (2011). doi: 10.1007/s00766-011-0141-0
  20. 20.
    Knauss, E., Lubke, D., Meyer, S.: Feedback-driven requirements engineering: the heuristic requirements assistant. In: Proceedings of the 31st International Conference on Software Engineering, ICSE ’09, pp. 587–590. IEEE Computer Society, Washington, DC (2009)Google Scholar
  21. 21.
    ISO/IEC: ISO27005: Information technology - Security techniques - Information security risk management, June 2008.
  22. 22.
    NIST, Aroms, E.: NIST Special Publication 800–39 Managing Information Security Risk. CreateSpace, Paramount, CA (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Thorsten Humberg
    • 2
  • Christian Wessel
    • 1
  • Daniel Poggenpohl
    • 2
  • Sven Wenzel
    • 2
    Email author
  • Thomas Ruhroth
    • 1
  • Jan Jürjens
    • 1
    • 2
  1. 1.Chair of Software EngineeringTechnical University DortmundDortmundGermany
  2. 2.Fraunhofer Institute for Software and Systems Engineering ISSTDortmundGermany

Personalised recommendations