Advertisement

Rule-Enhanced Domain Models for Cloud Security Governance, Risk and Compliance Management

  • Marcus Spies
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7018)

Abstract

As security is essential for the adoption of cloud computing, several standards defining security domains, related threats and controls are being established. The common goal is to enable cloud security specific IT governance for cloud providers and client enterprises alike. The ensuing mandatory control objectives and control processes must cover regulatory compliance and risk management in view of the growing public sector and industry demand for cloud computing services. As of today, most of these standards are represented in textual or semi-structured form. However, the growing adoption of cloud computing calls for tool-supported monitoring and auditing. This paper shows how this can be accomplished based on a domain modelling approach that includes definitions and processing components for rules corresponding to control objectives and various aspects of control processes.

Keywords

Cloud Computing Cloud Service Resource Description Framework Description Logic Object Constraint Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Baader, F., Brandt, S., Lutz, C.: Pushing the el envelope. In: Proceedings IJCAI, pp. 364–369. Professional Book Center (2005)Google Scholar
  2. 2.
    Baader, F., Brandt, S., Lutz, C.: Pushing the el envelope further (2008), http://lat.inf.tu-dresden.de/~clu/papers/
  3. 3.
    Baader, F., Nutt, W.: Basic description logics. In: Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P. (eds.) The Description Logic Handbook - Theory, Implementation and Algorithms, ch. 2, pp. 47–100. Cambridge University Press, Cambridge (2004)Google Scholar
  4. 4.
    Badger, L., Grance, T., Patt-Corner, R., Voas, J.: Cloud computing synopsis and recommendations. Tech. rep., National Institute of Standards and Technology, NIST (2011)Google Scholar
  5. 5.
    Boley, H., Tabet, S., Wagner, G.: Design rationale for RuleML: A markup language for semantic web rules (2001)Google Scholar
  6. 6.
    Breuker, J., Hoekstra, R., Boer, A., Berg, K.v.d., Sartot, G., Rubino, R., Wyner, A., Bench-Capon, T., Palmirani, M.: OWL Ontology of Basic Legal Concepts (LKIF-Core) (January 22, 2007), http://www.estrellaproject.org/lkif-core/
  7. 7.
    Carlsson, M.: SICStus prolog users manual. Tech. rep., Swedish Institute of Computer Science (2011)Google Scholar
  8. 8.
    CCRA: Common criteria for information technology security evaluation, parts 1 to 3 (2009)Google Scholar
  9. 9.
    Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing (2010)Google Scholar
  10. 10.
    Committee Of Sponsoring Organizations of the Treadway Commission: Coso erm: Enterprise risk management - integrated framework (2004)Google Scholar
  11. 11.
    Donini, F.: Complexity of reasoning. In: Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P. (eds.) The Description Logic Handbook - Theory, Implementation and Algorithms, ch. 3, pp. 101–141. Cambridge University Press, Cambridge (2004)Google Scholar
  12. 12.
    Engel, P., Stanley, M., Hamscher, W., Shuetrim, G., van Kannon, D., Wallis, H.: Extensible Business Reporting Language (XBRL). Recommendation, XBRL International (2003)Google Scholar
  13. 13.
    Feier, C.: Complexity and optimization of combinations of rules and ontologies. Tech. rep., EU-IST Integrated Project (IP) 2009-231875 ONTORULE (2009)Google Scholar
  14. 14.
    Frühwirth, T.: Constraint Handling Rules. Cambridge University Press, Cambridge (2009)CrossRefzbMATHGoogle Scholar
  15. 15.
    Klyne, G., Caroll, J.: Resource description framework (RDF): Concepts and abstract syntax (2009)Google Scholar
  16. 16.
    Leibold, C., Krieger, U., Spies, M.: Ontology based modelling and reasoning in operational risks. In: Kenett, R., Raanan, Y. (eds.) Operational Risk Management: A Practical Approach to Intelligent Data Analysis, pp. 41–60. Wiley, New York (2010)Google Scholar
  17. 17.
    Mell, P., Grance, T.: The NIST definition of cloud computing (2011)Google Scholar
  18. 18.
    Mendelson, E.: Introduction to Mathematical Logic. Chapman Hall, London (1997)zbMATHGoogle Scholar
  19. 19.
    Microsoft Inc.: Standard response to request for information security and privay - office365 (2011), http://www.microsoft.com/download/en/details.aspx?id=26647
  20. 20.
    Mitchell, S., Switzer, C.S.: GRC Assessment Tools ”Burgundy Book” – Tools for Evaluating Principled Performance 2.0. Open Compliance and Ethics Group, OCEG (2009)Google Scholar
  21. 21.
    Mitchell, S., Switzer, C.S.: GRC Capability Model ”Red Book” 2.0. Open Compliance and Ethics Group, OCEG (2009)Google Scholar
  22. 22.
    Motik, B., Grau, B.C., Horrocks, I., Wu, Z., Fokoue, A., Lutz, C.: OWL 2 web ontology language profiles (2009), http://www.w3.org/TR/owl2-profiles/
  23. 23.
    Motik, B., Patel-Schneider, P., Horrocks, I.: OWL 1.1 web ontology language structural specification and functional-style syntax (2006)Google Scholar
  24. 24.
    Motik, B., Patel-Schneider, P., Parsia, B.: OWL 2 web ontology language structural specification and functional-style syntax (2009), http://www.w3.org/TR/owl2-syntax/
  25. 25.
    Object Management Group: Ontology definition metamodel specification (2009)Google Scholar
  26. 26.
    Object Management Group: Object constraint language version 2.2. Tech. rep., Object Management Group (2010)Google Scholar
  27. 27.
    Object Management Group: OMG Argumentation Metamodel (ARM) (2010)Google Scholar
  28. 28.
    Object Management Group: OMG Software Assurance Evidence Metamodel (SAEM) (2010)Google Scholar
  29. 29.
    Paschke, A., Kozlenkov, A., Boley, H., Tabet, S., Kifer, M., Dean, M.: Reaction RuleML – reaction rules for the rule markup language (2007), http://ruleml.org/reaction/
  30. 30.
    Spies, M., Schacher, M., Gubser, R.: Intelligent regulatory compliance. In: Kenett, R., Raanan, Y. (eds.) Operational Risk Management: A Practical Approach to Intelligent Data Analysis, pp. 215–238. Wiley, New York (2010)CrossRefGoogle Scholar
  31. 31.
    Spies, M.: Continuous auditing and risk management in cloud computing, http://raw.rutgers.edu/docs/wcars/21wcars/presentations/
  32. 32.
    Spies, M.: A software assurance evidence approach to cloud security. In: Proc. Database and Expert Systems Conference, Toulouse (2011)Google Scholar
  33. 33.
    Spies, M., Tabet, S.: Emerging standards and protocols for governance, risk and compliance management. In: Kajan, E. (ed.) Handbook of Research on E-Business Standards and Protocols: Documents, Data and Advanced Web Technologies. IGI Global, Hershey (in press, 2011)Google Scholar
  34. 34.
    Swain, B., Agcaoili, P., Pohlman, M., Boyle, K.: Cloud controls matrix (2010)Google Scholar
  35. 35.
    Tabet, S., GRC-XML Initiative: GRC-XML Risk and Control Taxonomy Alpha Release (2009)Google Scholar
  36. 36.
    The IT Governance Institute: Control objectives for information and related technology (COBIT®) 4.1. Tech. rep., Information Systems Audit and Control Association (2010)Google Scholar
  37. 37.
    The RuleML Group: Schema specification of RuleML, version 1.0 (2010)Google Scholar
  38. 38.
    Waltermire, D., Quinn, S., Scarfone, K.: The technical specification for the security content automation protocol, SCAP (2010), http://csrc.nist.gov/publications/PubsSPs.html#SP-800-126
  39. 39.
    Warmer, J., Kleppe, A.: The Object Constraint Language – Getting your Models ready for MDA, 2nd edn. Object Technology Series. Addison Wesley, Boston (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Marcus Spies
    • 1
  1. 1.Knowledge ManagementLMU University of MunichGermany

Personalised recommendations