Much Ado about Security Appeal: Cloud Provider Collaborations and Their Risks

  • Olga Wenge
  • Melanie Siebenhaar
  • Ulrich Lampe
  • Dieter Schuller
  • Ralf Steinmetz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7592)

Abstract

The lack of capacity, unplanned outages of sub-contractors, a disaster recovery plan, acquisitions, or other financial goals may force cloud providers to enter into collaborations with other cloud providers. However, the cloud provider is not always fully aware of the security level of a potential collaborative cloud provider. This can lead to security breaches and customers’ data leakage, ending in court cases and financial penalties. In our paper, we analyze different types of cloud collaborations with respect to their security concerns and discuss possible solutions. We also outline trusted security entities as a feasible approach for managing security governance risks and propose our security broker solution for ad hoc cloud collaborations. Our work provides support in the cloud provider selection process and can be used by cloud providers as a foundation for their initial risk assessment.

Keywords

cloud computing security cloud collaborations data privacy data protection security broker 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Keahey, et al.: Sky Computing. IEEE Internet Computing, 43–51 (September/October 2009)Google Scholar
  2. 2.
    Bernstein, et al.: Intercloud Security Considerations. In: IEEE International Conference on Cloud Computing Technology and Services, pp. 537–544 (2010)Google Scholar
  3. 3.
    Wolf, et al.: A Message Meta Model for Federated Authentication in Service-oriented Architectures. In: IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1–8 (2009) Google Scholar
  4. 4.
    Kretzschmar, et al.: Security management Spectrum in future Multi-Provider Inter-Cloud Environments – Method to highlight necessary further development. In: 5th International DMTF Academic Alliance Workshop on Systems and Virtualization Management (SVM), pp. 1–8 (2011) Google Scholar
  5. 5.
    Almutairi, A., Sarfraz, M., Basalamah, S., Aref, W., Ghafoor, A.: A Distributed Access control Architecture for Cloud Computing. IEEE Software 29(2), 36–44 (2012)CrossRefGoogle Scholar
  6. 6.
    CSA: Security Guidance for Critical Areas of Focus in Cloud Computing, V3.0, https://cloudsecurityalliance.org/research/security-guidance/
  7. 7.
  8. 8.
    European Data Protection Directive – Directive 9/46/EC, http://eurex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1995:281:0031:0050:EN:PDF
  9. 9.
    Canada’s Personal Information Protection and Electronic Document Act – PIPEDA, http://www.priv.gc.ca/leg_c/leg_c_p_e.asp
  10. 10.
    Pearson, et al.: Privacy, Security and Trust Issues Arising from Cloud Computing. In: IEEE 2nd International Conference on Cloud Computing Technology and Science (CloudCom), pp. 693–702 (2010) Google Scholar
  11. 11.
    Perkins, et al.: Multinational Data-Privacy Laws: An Introduction for IT Managers. IEEE Transactions on Professional Communication 47(2), 85–94 (2004)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Ho, et al.: A Guideline to Enforce Data Protection and Privacy Digital Laws in Malaysia. In: 2nd International Conference on Computer Research and Development, pp. 3–6 (2010)Google Scholar
  13. 13.
    Chen, et al.: Legal Issues on Public Access to Remote Sensing Data in Taiwan. In: Geosciences and Remote Sensing Symposium (2005)Google Scholar
  14. 14.
  15. 15.
    Wood, K., Anderson, M.: Understanding the complexity surrounding multitenancy in cloud computing. In: IEEE 8th International Conference on e-Business Engineering (ICEBE), pp. 119–124 (2011)Google Scholar
  16. 16.
    Wolf, C.: The Role of Government in Commercial Cybersecurity. In: Telecom World (ITU WT), Technical Symposium at ITU, pp. 13–18 (2011) Google Scholar
  17. 17.
    NIST SP 800-145: The NIST Definition of Cloud Computing, http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
  18. 18.
    Bernsmed, K., Jaatun, M.G., Meland, P.H., Undheim, A.: Security SLAs for Federated Cloud Services. In: 6th International Conference on Availability, Reliability and Security (ARES), pp. 202–209 (2011)Google Scholar
  19. 19.
    ISO/IEC 27001: International Standard (2005), http://www.iso.org/iso/catalogue_detail?csnumber=42103
  20. 20.
  21. 21.
  22. 22.
  23. 23.
    The Shared Assessment Program: Evaluation Cloud Risk for the Enterprise: A Shared Assessment Guide (2010), http://sharedassessments.org/media/pdf-EnterpriseCloud-SA.pdf
  24. 24.
    NIST: Guide for Security-Focused Configuration management of Information Systems (2011), http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf
  25. 25.
    ISACA: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives (2011) Google Scholar
  26. 26.
    Watson, P.: A Multi-level Security Model for Partitioning Workflows over federated Clouds. In: IEEE 3rd International Conference on Cloud Computing Technology and Science (CloudCom), pp. 180–188 (2011)Google Scholar
  27. 27.
    Berger, et al.: Security for the Cloud Infrastructure: Trusted Virtual Data Center Implementation. IBM Journal of Research and Development 53(4), 6:1–6:12 ( (2009)Google Scholar
  28. 28.
    Wu, et al.: Alignment of Authentication Information for Trusted Federation. In: EDOC Conference Workshop, pp. 73–80 (2007)Google Scholar
  29. 29.
    Kandukuri, B.R., Paturi, V.R., Rakshit, A.: Cloud Security Issues. In: Services Computing, pp. 517–520 (2009)Google Scholar
  30. 30.
    OASIS-Security-Services, http://www.oasis-open.org/
  31. 31.
    Sabahi, F.: Cloud Computing Security Threats and Responses. In: IEEE 3rd International Conference on Communication Software and Networks, pp. 245–249 (2011)Google Scholar
  32. 32.
  33. 33.
    He, Y.H., Bin, W., Xiao, X.L., Jing, M.X.: Identity Federation Broker for Service Cloud. In: International Conference on Service Sciences (ICSS), pp. 115–120 (2010)Google Scholar
  34. 34.
    Goyal, P.: Application of a Distributed Security Method to End-2-End Services Security in Independent Heterogeneous Cloud Computing Environments. In: IEEE World Congress on Services (SERVICES), pp. 379–384 (2011)Google Scholar
  35. 35.
    Ates, M., Ravet, S., Ahmat, A.M., Fayolle, J.: An Identity-Centric Internet: Identity in the Cloud, Identity as a Service and other delights. In: 6th International Conference on Availability, Reliability and Security (ARES), pp. 555–560 (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Olga Wenge
    • 1
  • Melanie Siebenhaar
    • 1
  • Ulrich Lampe
    • 1
  • Dieter Schuller
    • 1
  • Ralf Steinmetz
    • 1
  1. 1.Multimedia Communication Lab (KOM)Technische Universität DarmstadtGermany

Personalised recommendations