Top

Published in:

2017 | OriginalPaper | Chapter

Delegated Audit of Cloud Provider Chains Using Provider Provisioned Mobile Evidence Collection

Authors : Christoph Reich, Thomas Rübsamen

Published in: Cloud Computing and Services Science

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Businesses, especially SMEs, increasingly integrate cloud services in their IT infrastructure. The assurance of the correct and effective implementation of security controls is required by businesses to attenuate the loss of control that is inherently associated with using cloud services. Giving this kind of assurance, is traditionally the task of audits and certification done by auditors. Cloud auditing becomes increasingly challenging for the auditor, if you be aware, that today cloud services are often distributed across many cloud providers. There are Software as a Service (SaaS) providers that do not own dedicated hardware anymore for operating their services, but rely solely on other cloud providers of the lower layers, such Infrastructure as a Service (IaaS) providers. Cloud audit of provider chains, that is cloud auditing of cloud service provisioned across different providers, is challenging and complex for the auditor.

The main contributions of this paper are: An approach to automated auditing of cloud provider chains with the goal of providing evidence-based assurance about the correct handling of data according to pre-defined policies. A concepts of individual and delegated audits, discuss policy distribution and applicability aspects and propose a lifecycle model. The delegated auditing of cloud provider chains using a provider provisioned platform for mobile evidence collection is the policy to collect evidence data on demand. Further, the extension of Cloud Security Alliance’s (CSA) CloudTrust Protocol form the basis for the proposed system for provider chain auditing.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Native Cloud Applications: Why Monolithic Virtualization Is Not Their Foundation

next chapter Trade-offs Based Decision System for Adoption of Cloud-Based Services

Azraoui, M., Elkhiyaoui, K., Önen, M., Bernsmed, K., Oliveira, A.S., Sendor, J.: A-PPL: an accountability policy language. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA/SETOP -2014. LNCS, vol. 8872, pp. 319–326. Springer, Cham (2015). doi:10.1007/978-3-319-17016-9_21

Bitkom Research GmbH: Cloud Monitor 2015 (2015). https://www.kpmg.com/DE/de/Documents/cloudmonitor%202015_copyright%20_sec_neu.pdf

Cloud Security Alliance: Top threats to cloud computing survey results update 2012 (2013). https://downloads.cloudsecurityalliance.org/initiatives/top_threats/Top_Threats_Cloud_Computing_Survey_2012.pdf

Cloud Security Alliance: Cloud Controls Matrix (2014). https://cloudsecurityalliance.org/research/ccm/

Cloud Security Alliance: CloudTrust Protocol (2016). https://cloudsecurityalliance.org/research/ctp

Distributed Management Task Force, Inc. (DMTF): Cloud auditing data federation (CADF) - data format and interface definitions specification (2014). http://www.dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf

Doelitzscher, F., Rübsamen, T., Karbe, T., Reich, C., Clarke, N.: Sun behind clouds - on automatic cloud security audits and a cloud audit policy language. Int. J. Adv. Netw. Serv. 6(1&2) (2013)

Kertesz, A., Kecskemeti, G., Oriol, M., Kotcauer, P., Acs, S., Rodríguez, M., Mercè, O., Marosi, A., Marco, J., Franch, X.: Enhancing federated cloud management with an integrated service monitoring approach. J. Grid Comput. 11(4), 699–720 (2013). http://dx.doi.org/10.1007/s10723-013-9269-0

Liu, F., Tong, J., Mao, J., Bohn, R., Messina, J., Badger, L., Leaf, D.: Nist cloud computing reference architecture (2011). http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909505

10.

Massonet, P., Naqvi, S., Ponsard, C., Latanicki, J., Rochwerger, B., Villari, M.: A monitoring and audit logging architecture for data location compliance in federated cloud infrastructures. In: 2011 IEEE International Symposium on Parallel and Distributed Processing Workshops and Phd Forum (IPDPSW), pp. 1510–1517, May 2011

11.

Microsoft Developer Network: The Stride Threat Model (2014). https://msdn.microsoft.com/en-US/library/ee823878(v=cs.20).aspx

12.

Muller, C., Oriol, M., Rodriguez, M., Franch, X., Marco, J., Resinas, M., Ruiz-Cortes, A.: Salmonada: a platform for monitoring and explaining violations of WS-agreement-compliant documents. In: 2012 ICSE Workshop on Principles of Engineering Service Oriented Systems (PESOS), pp. 43–49, June 2012

13.

Povedano-Molina, J., Lopez-Vega, J.M., Lopez-Soler, J.M., Corradi, A., Foschini, L.: Dargos: a highly adaptable and scalable monitoring architecture for multi-tenant clouds. Future Gener. Comput. Syst. 29(8), 2041–2056 (2013). http://www.sciencedirect.com/science/article/pii/S0167739X13000824

14.

Rizvi, S., Ryoo, J., Liu, Y., Zazworsky, D., Cappeta, A.: A centralized trust model approach for cloud computing. In: 2014 23rd Wireless and Optical Communication Conference (WOCC), pp. 1–6, May 2014

15.

Rübsamen, T., Reich, C.: Supporting cloud accountability by collecting evidence using audit agents. In: 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (CloudCom), vol. 1, pp. 185–190, December 2013

16.

Rübsamen, T., Hölscher, D., Reich, C.: Towards auditing of cloud provider chains using cloudtrust protocol. In: Proceedings of the 6th International Conference on Cloud Computing and Service Science (CLOSER 2016), pp. 83–94. SciTePress (2016)

17.

Rübsamen, T., Pulls, T., Reich, C.: Secure evidence collection and storage for cloud accountability audits. In: CLOSER 2015 - Proceedings of the 5th International Conference on Cloud Computing and Services Science, Lisbon, Portugal, 20–22 May 2015. SciTePress (2015)

18.

Rübsamen, T., Reich, C.: An architecture for cloud accountability audits. In: Baden-Württemberg Center of Applied Research Symposium on Information and Communication Systems, SInCom 2014 (2014)

19.

Saleh, M.: Construction of agent-based trust in cloud infrastructure. In: 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC), pp. 941–946, December 2014

20.

Scientific Working Groups on Digital Evidence, Imaging Technology: SWGDE and SWGIT Digital and Multimedia Evidence Glossary (2015). https://www.swgde.org/documents/Current%20Documents/2015-05-27%20SWGDE-SWGIT%20Glossary%20v2.8

Title: Delegated Audit of Cloud Provider Chains Using Provider Provisioned Mobile Evidence Collection
Authors: Christoph Reich
Thomas Rübsamen
Publisher: Springer International Publishing
Book: Cloud Computing and Services Science
Print ISBN: 978-3-319-62593-5

Electronic ISBN: 978-3-319-62594-2

Copyright Year: 2017
DOI: https://doi.org/10.1007/978-3-319-62594-2_3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner