Security Certification for the Cloud: The CUMULUS Approach

  • Marco Anisetti
  • Claudio A. Ardagna
  • Ernesto Damiani
  • Antonio Maña
  • George Spanoudakis
  • Luca Pino
  • Hristo Koshutanski
Part of the Computer Communications and Networks book series (CCN)


This chapter presents a certification-based assurance solution for the cloud, which has been developed as part of the FP7 EU Project CUMULUS. It provides an overview of the CUMULUS certification models, which are at the basis of the certification processes implemented and managed by the CUMULUS certification framework. Certification models drive the collection of evidence used by the framework to assess whether the system under certification supports required security properties, and generate and manage certificates proving compliance to such properties (certification process). Collected evidence can be of different types (i.e., test-based, monitoring-based, and trusted computing-based evidence) and addresses the peculiarities of cloud environments. The framework also supports continuous and incremental evaluation of services in the production cloud.


Assurance Certification Cloud Security 



The work presented in this chapter has been partially funded by the EU FP7 project CUMULUS (grant no 318580).


  1. 1.
    Anisetti M, Ardagna CA, Damiani E (2015) A test-based incremental security certification scheme for cloud-based systems. In: Proceedings of the 12th IEEE international conference on services computing (SCC 2015), New York, June–July 2015Google Scholar
  2. 2.
    Anisetti M, Ardagna CA, Damiani E (2014) A certification-based trust model for autonomic cloud computing systems. In: Proceedings of the IEEE conference on cloud autonomic computing (CAC 2014), London, Sept 2014Google Scholar
  3. 3.
    CUMULUS Consortium (2015) Deliverable D5.3 – CUMULUS framework architecture v2. Available at
  4. 4.
    Harjani R, Arjona M, Espinar J, Maña A, Muñoz A, Koshutanski H (2014) An integrated framework for multi-layer certification-based assurance. In: Proceedings of the 8th layered assurance workshop (LAW 2014), New Orleans, Dec 2014Google Scholar
  5. 5.
    CUMULUS Consortium (2015) Deliverable D4.3 – CUMULUS-aware engineering process specification v2. Available at
  6. 6.
    CUMULUS Consortium (2015) Deliverable D3.3 – certification mechanisms for incremental and hybrid certification. Available at
  7. 7.
    Trusted Computing Group, TPM main specification.
  8. 8.
    CUMULUS Consortium (2015) Deliverable D2.4 – final CUMULUS certification models. Available at
  9. 9.
    CUMULUS Consortium (2013) Deliverable D2.1 – security-aware SLA specification language and cloud security dependency model. Available at
  10. 10.
    Spanoudakis G, Kloukinas C, Mahbub K (2009) The serenity runtime monitoring framework. In: Spanoudakis G, Kokolakis S (eds) Security and dependability for ambient intelligence. Springer, New York/US, pp 213–237CrossRefGoogle Scholar
  11. 11.
    Shanahan M The event calculus explained (1999) In: Wooldridge MJ, Veloso M (eds) Artificial intelligence today. Springer, Berlin Heidelberg, Germany, pp 409–430Google Scholar
  12. 12.
    Krotsiani M, Spanoudakis G, Mahbub K (2013) Incremental certification of cloud services. In: Proceedings of the 7th international conference on emerging security information, systems and technologies (SECURWARE-2013), Barcelona, Aug 2013Google Scholar
  13. 13.
    Krotsiani M, Spanoudakis G (2014) Continuous certification of non-repudiation in cloud storage services. In: Proceedings of the 4th IEEE international symposium on trust and security in cloud computing (IEEE TSCloud 2014), Beijing, Sept 2014Google Scholar
  14. 14.
    Irvine C, Levin T (1999) Toward a taxonomy and costing method for security services. In: Proceedings of the 15th annual conference on computer security applications (ACSAC 1999), Phoenix, Dec 1999Google Scholar
  15. 15.
    Chung L, Nixon BA (1995) Dealing with non-functional requirements: three experimental studies of a process-oriented approach. In: Proceedings of the 17th international conference on software engineering (ICSE 1995), Seattle, Apr 1995Google Scholar
  16. 16.
    Chung L, Leite JCP (2009) Conceptual modeling: foundations and applications. chapter on non-functional requirements in software engineering. Springer, Berlin/Heidelberg, pp 363–379Google Scholar
  17. 17.
    Anisetti M, Ardagna CA, Damiani E, Saonara F (2013) A test-based security certification scheme for web services. ACM Trans Web (TWEB) 7(2):1–41CrossRefGoogle Scholar
  18. 18.
    Trusted Computing Group (2011) Virtualized trusted platform architecture specification, Sept 2011.
  19. 19.
    Katopodis S, Spanoudakis G, Mahbub K (2014) Towards hybrid cloud service certification models. In: Proceedings of the IEEE international conference on services computing (SCC 2014), Anchorage, June–July 2014Google Scholar
  20. 20.
    Anisetti M, Ardagna CA, Damiani E (2013) Security certification of composite services: a test-based approach. In: Proceedings of the 20th IEEE international conference on Web services (ICWS 2013), San Francisco, June–July 2013Google Scholar
  21. 21.
    Pearson S (2011) Toward accountability in the cloud. IEEE Internet Comput 15(4):64–69CrossRefGoogle Scholar
  22. 22.
    Rasheed H (2013) Data and infrastructure security auditing in cloud computing environments. Int J Inf Manag 34(3):364–368MathSciNetCrossRefGoogle Scholar
  23. 23.
    Doelitzscher F, Reich C, Knahl M, Passfall A, Clarke N (2012) An agent based business aware incident detection system for cloud environments. J Cloud Comput 1(1):1–19CrossRefGoogle Scholar
  24. 24.
    Rajkumar MN, Kumar VV, Sivaramakrishnan R (2013) Efficient integrity auditing services for cloud computing using raptor codes. In: Proceedings of the ACM international conference on research in adaptive and convergent systems (RACS 2013), Montreal, Oct 2013Google Scholar
  25. 25.
    Yang K, Jia X (2013) An efficient and secure dynamic auditing protocol for data storage in cloud computing. IEEE Trans Parallel Distrib Syst 24(9):1717–1726CrossRefGoogle Scholar
  26. 26.
    Wang B, Li B, Li H (2014) Oruta: privacy-preserving public auditing for shared data in the cloud. IEEE Trans Cloud Comput 2(1):43–56CrossRefGoogle Scholar
  27. 27.
    CSA (2014) CloudAudit: automated audit, assertion, assessment, and assurance.
  28. 28.
    Wieder P, Butler JM, Theilmann W, Yahyapour R (2011) Service level agreements for cloud computing. Springer, Dortmund, GermanyCrossRefGoogle Scholar
  29. 29.
    Ye L, Zhang H, Shi J, Du X (2012) Verifying cloud service level agreement. In: Proceedings of IEEE GLOBECOM 2012, Anaheim, Dec 2012Google Scholar
  30. 30.
    Casalicchio E, Silvestri L (2013) Mechanisms for sla provisioning in cloud-based service providers. Comput Netw 57(3):795–810CrossRefGoogle Scholar
  31. 31.
    Marinescu DC, Paya A, Morrison JP, Healy PD (2013) An auction-driven self-organizing cloud delivery model. CoRR, abs/1312.2998Google Scholar
  32. 32.
    USA Department of Defence (1985) Department Of defense trusted computer system evaluation criteria, Dec 1985Google Scholar
  33. 33.
    Herrmann DS (2002) Using the common criteria for IT security evaluation. Auerbach publications/CRC press, LondonCrossRefGoogle Scholar
  34. 34.
    Kourtesis D, Ramollari E, Dranidis D, Paraskakis I (2010) Increased reliability in SOA environments through registry-based conformance testing of web services. Prod Plan Control 21(2):130–144CrossRefGoogle Scholar
  35. 35.
    Ryu SH, Casati F, Skogsrud H, Betanallah B, Saint-Paul R (2008) Supporting the dynamic evolution of Web service protocols in service-oriented architectures. ACM Trans Web 2(2):13:1–13:46Google Scholar
  36. 36.
    Papazoglou MP, Andrikopoulos V, Benbernou S (2011) Managing evolving services. IEEE Softw 28(3):49–55CrossRefGoogle Scholar
  37. 37.
    Grobauer B, Walloschek T, Stocker E (2011) Understanding cloud computing vulnerabilities. IEEE Secur Priv 9(2):50–57CrossRefGoogle Scholar
  38. 38.
    Sunyaev A, Schneider S (2013) Cloud services certification. Commun ACM 56(2):33–36CrossRefGoogle Scholar
  39. 39.
    Khan KM, Malluhi Q (2010) Establishing trust in cloud computing. IT Prof 12(5):20–27CrossRefGoogle Scholar
  40. 40.
    Bertholon B, Varrette S, Bouvry P (2011) Certicloud: a novel tpm-based approach to ensure cloud iaas security. In: Proceedings of the 4th IEEE international conference on cloud computing (CLOUD 2011), Washington, July 2011Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Marco Anisetti
    • 1
  • Claudio A. Ardagna
    • 1
  • Ernesto Damiani
    • 1
  • Antonio Maña
    • 2
  • George Spanoudakis
    • 3
  • Luca Pino
    • 3
  • Hristo Koshutanski
    • 2
  1. 1.DI – Università degli Studi di MilanoMilanoItaly
  2. 2.University of MalagaMalagaSpain
  3. 3.City University of LondonLondonUK

Personalised recommendations