Abstract
Cloud services promise numerous advantages for companies over traditional in-house data processing in terms of flexibility and cost efficiency. These cloud services vary considerably with respect to the security mechanisms provided. As a result, many security-aware companies have strong concerns in using such services, e.g., with respect to confidentiality, data protection, availability, and control. Moreover, they complain the lack of transparency concerning the security measures and processes the cloud provider has installed. As a solution for the latter one, auditors may evaluate cloud providers and issue certificates attesting whether or not the cloud provider meets certain security requirements or legal regulations. However, due to the characteristics of cloud computing, on-site inspections in the data centers of a cloud provider do not seem to be realistic. In this paper we present a technical solution of an automatically generated data processing certificate for cloud services. Formal policies containing the security requirements the cloud service must comply with are the basis for this certificate. Our contribution uses secure log files as a trustworthy data base for the evaluation of a cloud service. We introduce a secure logging method which is resistant against internal manipulation attempts and that creates tamper-proof and confidential log data. Thus, the logging method is very well suited for the application in the data center of a potential untrustworthy cloud provider (This contribution has been created within the project CloudCycle (http://www.cloudcycle.org). CloudCycle is funded by the German Federal Ministry for Economic Affairs and Energy (BMWi) according to a decision of the German Federal Parliament within the funding priority “Trusted Cloud”.).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Accorsi, R.: Log Data as Digital Evidence: What Secure Logging Protocols Have to Offer? In: 33rd Annual IEEE International Computer Software and Applications Conference (COMPSAC’09), pp. 398–403, (2009)
Bellare, M., Yee, B. S.: Forward Integrity for Secure Audit Logs. University of California at San Diego (1997)
Borges, G. et al.: Datenschutzrechtliche Lösungen für Cloud Computing. Kompetenzzentrum Trusted Cloud, http://www.trusted-cloud.de, (2012)
BSI: Studieüuber die Nutzung von Log- und Monitoringdaten im Rahmen der IT-Frühwarnung und für einen sicheren IT-Betrieb (2007)
Contu, R., Pingree, L., Ahlm, E.: Predicts 2013: Security Solutions. Technical Report, Gartner (2012)
Eurocloud Deutschland eco e.V.: Leitfaden Cloud Computing, (2010)
European Network and Information Security Agency (ENISA): Critical Cloud Computing -A CIIP perspective on cloud computing services, Version 1.0, (2012)
Gerhards, R.: The Syslog Protocol, Request for Comments: 5424, Internet Engineering Task Force IETF (2009)
Gola, P., Schomerus, R.: BDSG Kommentar (2012)
Gonzales, N., Miers, C., Redigolo, F., Simplicio, M., Carvalho, T., N¨aslund, M., Pourzandi, M.: A quantitative analysis of current security concerns and solutions for cloud computing. In: Journal of Cloud Computing: Advances, Systems and Applications, 1(1) (2012)
Hardt, D. (Ed.): The OAuth 2.0 Authorization Framework, Request for Comments: 6749, Internet Engineering Task Force IETF (2012)
Holt, J. E.: Logcrypt: forward security and public verification for secure audit logs. In: Proceedings of the 2006 Australasian workshops on Grid computing and e-research, Volume 54, ACSW Frontiers ’06, pp. 203–211, Australian Computer Society (2006)
ISO/IEC 27001: Information technology - Security techniques - Information security management systems - Requirements (2013)
Lipton, P., Moser, S., Palma, D., Spatzier, T.: Topology and Orchestration Specification for Cloud Applications (TOSCA), Version 1.0, http://www.oasis-open.org/committees/tc\_home.php?wg\_abbrev=tosca OASIS specification (2013)
Merkle, R.: Protocols for Public Key Cryptosystems. In: Proceedings of the 1980 IEEE Symposium on Security and Privacy, Oakland, USA (1980)
National Institute of Standards and Technology (NIST): Guide for Applying the Risk Management Framework to Federal Information Systems - A Security Life Cycle Approach, NIST Special Publication 800-37, (2010)
Niehues, P., Kunz, T., Posiadlo, L.: Das CloudCycle-Ökosystem, Technical report, http: //www.cloudcycle.org, CloudCycle (2013)
Schneider, S., Lansing, J., Sunyaev, A.: Empfehlungen zur Gestaltung von Cloud-Service-Zertifizierungen, In: Industrie Management - Zeitschrift für industrielle Geschäftsprozesse, pp. 13–17 (2013)
Schneier, B., Kelsey, J.: Secure audit logs to support computer forensics, In: ACM Transactions on Information and System Security (TISSEC) 1999, Volume 2, pp. 159–176, ACM New York, USA (1999)
Selzer, A.: Die Kontrollpflicht nach § 11 Abs. 2 Satz 4 BDSG im Zeitalter des Cloud Computing, In: DuD 04/2013
Stathopoulos, V., Kotzanikolaou, P., Magkos, E.: A Framework for Secure and Verifiable Logging in Public Communication Networks, In: Critical Information Infrastructures Security, Lecture Notes in Computer Science, Springer Berlin Heidelberg, pp. 273–284 (2006)
Waizenegger, T., Wieland, M., Binz, T., Breitenb¨ucher, U.: Towards a Policy-Framework for Provisioning and Management of Cloud Services, In: SECURWARE 2013, The Seventh International Conference on Emerging Security Information, Systems and Technologies (2013)
Waizenegger, T., Wieland, M., Binz, T., Breitenb¨ucher, U., Haupt, F., Kopp, O., Leymann, F., Mitschang, B., Nowak, A., Wagner, S.: Policy4TOSCA: A Policy-Aware Cloud Service Provisioning Approach to Enable Secure Cloud Computing, In: DOA-Trusted Cloud’13 International Conference on Secure Virtual Infrastructures (2013)
Waters, B. R., Balfanz, D., Durfee, G., Smetters, D. K.: Building an Encrypted and Searchable Audit Log, Princeton University and Palo Alto Research Center (2004)
Weichert, T.: Cloud Computing und Datenschutz, In: DuD 10/2010
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Kunz, T., Selzer, A., Waldmann, U. (2014). Automatic Data Protection Certificates for Cloud-Services based on Secure Logging. In: Krcmar, H., Reussner, R., Rumpe, B. (eds) Trusted Cloud Computing. Springer, Cham. https://doi.org/10.1007/978-3-319-12718-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-12718-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12717-0
Online ISBN: 978-3-319-12718-7
eBook Packages: Computer ScienceComputer Science (R0)