Abstract
Outsourcing services into the cloud is a worthwhile alternative to classic service models from both a customers and providers point of view. Therefore many new cloud providers surface, offering their cloud solutions. The trust and acceptance for cloud solutions are however still not given for many customers since a lot of security incidents related to cloud computing were reported. One possibility for companies to raise the trust in the own products is to gain a certification for them based on ISO27001. The certification is however a large hurdle, especially for small and medium enterprises since they lack resources and know-how. In this paper we present an overview of the ClouDAT framework. It represents a tool based approach to help in the certification process for cloud services specifically tailored to SMEs.
This research was partially supported by the research project Visual Privacy Management in User Centric Open Environments (supported by the EU’s Horizon 2020 programme, Proposal number: 653642).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Alebrahim, A., Hatebur, D., Goeke, L.: Pattern-based and ISO 27001 compliant risk analysis for cloud systems. In: 2014 IEEE 1st Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), pp. 42–47, August 2014
Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, A., Stoica, I., Zaharia, M.: Above the clouds: a berkeley view of cloud computing. Technical report UCB/EECS-2009-28, EECS Department, University of California, Berkeley. http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.html
Beckers, K., Schmidt, H., Kuster, J., Fassbender, S.: Pattern-based support for context establishment and asset identification of the ISO 27000 in the field of cloud computing. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 327–333, August 2011
CARiSMA: Carisma framework, May 2015. https://www-secse.cs.tu-dortmund.de/carisma/
Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing v3.0 (2011). https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf
Cloud Security Alliance: The notorious nine cloud computing top threats in 2013, February 2013. https://cloudsecurityalliance.org/download/the-notorious-nine-cloud-computing-top-threats-in-2013/
Cloud Security Alliance: Privacy level agreement: A compliance tool for providing cloud services in the European union, February 2013. https://cloudsecurityalliance.org/download/thenotorious-nine-cloud-computing-top-threats-in-2013/
Cloud Security Alliance: Cloud Control Matrix (2014). https://downloads.cloudsecurityalliance.org/init iatives/ccm/ccm-v3.0.1.zip
ClouDAT: Cloudat project, May 2015. http://ti.uni-due.de/ti/clouddat/de/
DISA: Application Security and Development STIG V3 R10 (2015). http://iase.disa.mil/stigs/Documents/U_Application_Security_and_Development_V3R4_STIG.zip
European Network and Information Security Agency: Cloud computing - benefits, risks and recommendations for information security (2009). https://resilience.enisa.europa.eu/cloud-security-and-resilience/publications/cloud-computing-benefits-risks-and-recommendations-for-information-security
Fernandez-Buglioni, E.: Security Patterns in Practice: Designing Secure Architectures Using Software Patterns, 1st edn. Wiley, New York (2013)
Fernández-Medina, E., Jürjens, J., Trujillo, J., Jajodia, S.: Model-driven development for secure information systems. Inf. Softw. Technol. 51(5), 809–814 (2009)
Heiser, J., Nicolett, M.: Assessing the security risks of cloud computing, June 2008. https://www.gartner.com/doc/685308/assessing-security-risks-cloud-computing
ISO: ISO/IEC 27005 Information technology - Security techniques - Information security risk management. ISO 27005: 2008, International Organization for Standardization, Geneva, Switzerland (2008)
ISO: ISO/IEC 27001 Information Security Management System (ISMS) standard. ISO 27001: 2013, International Organization for Standardization, Geneva, Switzerland, October 2013
ISO: ISO/IEC 27000 Information technology - Security techniques - Information security management systems, Overview and vocabulary. ISO 27000: 2014, International Organization for Standardization, Geneva, Switzerland, May 2014
Jin, X., Sandhu, R., Krishnan, R.: RABAC: role-centric attribute-based access control. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 84–96. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33704-8_8
Jürjens, J.: Secure information flow for concurrent processes. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, p. 395. Springer, Heidelberg (2000)
Jürjens, J.: Modelling audit security for smart-card payment schemes with UMLsec. In: 16th International Conference on Information Security (IFIPSEC 2001), pp. 93–108. IFIP, Kluwer (2001)
Jürjens, J.: Secure Systems Development with UML. Springer, New York (2005). Chinese translation: Tsinghua University Press, Beijing 2009
Jürjens, J.: Verification of low-level crypto-protocol implementations using automated theorem proving. In: 3rd ACM & IEEE International Conference on Formal Methods and Models for Co-Design (MEMOCODE 2005), pp. 89–98. Institute of Electrical and Electronics Engineers (2005)
Jürjens, J., Wimmel, G.: Formally testing fail-safety of electronic purse protocols. In: 16th International Conference on Automated Software Engineering (ASE 2001), pp. 408–411. IEEE (2001)
Jürjens, J., Wimmel, G.: Security modelling for electronic commerce: the common electronic purse specifications. In: Schmid, B., Stanoevska-Slabeva, K., Tschammer, V. (eds.) Towards the E-Society: E-Commerce, E-Business, and E-Government. IFIP, vol. 74, pp. 489–505. Springer US, New York (2001)
National Institute for Standards and Technology: The NIST Definition of Cloud Computing. Technical report, Special Publication 800–145 of the National Institute of Standards and Technology (NIST), September 2011. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Nist, Aroms, E.: NIST Special Publication 800–53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations. CreateSpace, Paramount, CA (2012). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Ratiu, D., Feilkas, M., Jürjens, J.: Extracting domain ontologies from domain specific APIs. In: 12th European Conference on Software Maintenance and Reengineering (CSMR 2008), pp. 203–212. IEEE (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Ahmadian, A.S., Coerschulte, F., Jürjens, J. (2016). Supporting the Security Certification and Privacy Level Agreements in the Context of Clouds. In: Shishkov, B. (eds) Business Modeling and Software Design. BMSD 2015. Lecture Notes in Business Information Processing, vol 257. Springer, Cham. https://doi.org/10.1007/978-3-319-40512-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-40512-4_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40511-7
Online ISBN: 978-3-319-40512-4
eBook Packages: Business and ManagementBusiness and Management (R0)