Supporting the security certification and privacy level agreements in the context of clouds

Lecture Notes in Business Information Processing

Volumn 257, Issue , 2016, Pages 80-95

  Ahmadian, Amir Shayan ^a   Coerschulte, Fabian ^a   Jürjens, Jan ^a,b  

^a University of Koblenz   (Germany)

^b Fraunhofer Institute for Software and Systems Engineering (ISST)   (Germany)

Author keywords

Certifying cloud providers; Cloud computing; Privacy level agreements; Risk analysis methods; Risk treatment methods

Indexed keywords

CLOUD COMPUTING; RISK ANALYSIS; RISK ASSESSMENT; SOFTWARE DESIGN; SYSTEMS ENGINEERING; TECHNOLOGY TRANSFER;

CERTIFICATION PROCESS; CLOUD PROVIDERS; OUTSOURCING SERVICES; PRIVACY LEVELS; RISK ANALYSIS METHODS; RISK TREATMENT; SECURITY CERTIFICATION; SMALL AND MEDIUM ENTERPRISE;

TRUSTED COMPUTING;

EID: 84976648543     PISSN: 18651348     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-3-319-40512-4_5     Document Type: Conference Paper

References (27)

1. Alebrahim, A., Hatebur, D., Goeke, L.: Pattern-based and ISO 27001 compliant risk analysis for cloud systems. In: 2014 IEEE 1st Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), pp. 42-47, August 2014
2. Armbrust, M., Fox, A., Griffith, R., Joseph, A.D., Katz, R.H., Konwinski, A., Lee, G., Patterson, D.A., Rabkin, A., Stoica, I., Zaharia, M.: Above the clouds: a berkeley view of cloud computing. Technical report UCB/EECS-2009-28, EECS Department, University of California, Berkeley. http: //www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.html
3. Beckers, K., Schmidt, H., Kuster, J., Fassbender, S.: Pattern-based support for context establishment and asset identification of the ISO 27000 in the field of cloud computing. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 327-333, August 2011
4. CARiSMA: Carisma framework, May 2015. https: //www-secse.cs.tu-dortmund. de/carisma/
5. Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing v3.0 (2011). https: //downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdf
6. Cloud Security Alliance: The notorious nine cloud computing top threats in 2013, February 2013. https: //cloudsecurityalliance.org/download/the-notoriousnine- cloud-computing-top-threats-in-2013/
7. Cloud Security Alliance: Privacy level agreement: A compliance tool for providing cloud services in the European union, February 2013. https: //cloudsecurityalliance. org/download/thenotorious-nine-cloud-computing-top-threats-in-2013/
8. Cloud Security Alliance: Cloud Control Matrix (2014). https: //downloads. cloudsecurityalliance.org/initiatives/ccm/ccm-v3.0.1.zip
9. ClouDAT: Cloudat project, May 2015. http: //ti.uni-due.de/ti/clouddat/de/
10. DISA: Application Security and Development STIG V3 R10 (2015). http: //iase.disa.mil/stigs/Documents/U Application Security and Development V3R4 STIG.zip
11. European Network and Information Security Agency: Cloud computing - benefits, risks and recommendations for information security (2009). https: //resilience. enisa.europa.eu/cloud-security-and-resilience/publications/cloud-computing-bene fits-risks-and-recommendations-for-information-security
12. Fernandez-Buglioni, E.: Security Patterns in Practice: Designing Secure Architectures Using Software Patterns, 1st edn. Wiley, New York (2013)
13. Fernández-Medina, E., Jürjens, J., Trujillo, J., Jajodia, S.: Model-driven development for secure information systems. Inf. Softw. Technol. 51(5), 809-814 (2009)
14. Heiser, J., Nicolett, M.: Assessing the security risks of cloud computing, June 2008. https: //www.gartner.com/doc/685308/assessing-security-risks-cloud-computing
15. ISO: ISO/IEC 27005 Information technology - Security techniques - Information security risk management. ISO 27005: 2008, International Organization for Standardization, Geneva, Switzerland (2008)
16. ISO: ISO/IEC 27001 Information Security Management System (ISMS) standard. ISO 27001: 2013, International Organization for Standardization, Geneva, Switzerland, October 2013
17. ISO: ISO/IEC 27000 Information technology - Security techniques - Information security management systems, Overview and vocabulary. ISO 27000: 2014, International Organization for Standardization, Geneva, Switzerland, May 2014
18. Jin, X., Sandhu, R., Krishnan, R.: RABAC: role-centric attribute-based access control. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 84-96. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33704-8 8
19. Jürjens, J.: Secure information flow for concurrent processes. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, p. 395. Springer, Heidelberg (2000)
20. Jürjens, J.: Modelling audit security for smart-card payment schemes with UMLsec. In: 16th International Conference on Information Security (IFIPSEC 2001), pp. 93-108. IFIP, Kluwer (2001)
21. Jürjens, J.: Secure Systems Development with UML. Springer, New York (2005). Chinese translation: Tsinghua University Press, Beijing 2009
22. Jürjens, J.: Verification of low-level crypto-protocol implementations using automated theorem proving. In: 3rd ACM & IEEE International Conference on Formal Methods and Models for Co-Design (MEMOCODE 2005), pp. 89-98. Institute of Electrical and Electronics Engineers (2005)
23. Jürjens, J., Wimmel, G.: Formally testing fail-safety of electronic purse protocols. In: 16th International Conference on Automated Software Engineering (ASE 2001), pp. 408-411. IEEE (2001)
24. Jürjens, J., Wimmel, G.: Security modelling for electronic commerce: the common electronic purse specifications. In: Schmid, B., Stanoevska-Slabeva, K., Tschammer, V. (eds.) Towards the E-Society: E-Commerce, E-Business, and EGovernment. IFIP, vol. 74, pp. 489-505. Springer US, New York (2001)
25. National Institute for Standards and Technology: The NIST Definition of Cloud Computing. Technical report, Special Publication 800-145 of the National Institute of Standards and Technology (NIST), September 2011. http: //csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
26. Nist, Aroms, E.: NIST Special Publication 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations. CreateSpace, Paramount, CA (2012). http: //nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
27. Ratiu, D., Feilkas, M., Jürjens, J.: Extracting domain ontologies from domain specific APIs. In: 12th European Conference on Software Maintenance and Reengineering (CSMR 2008), pp. 203-212. IEEE (2008)