nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

9. Improving Cloud Assurance and Transparency Through Accountability Mechanisms

verfasst von : Siani Pearson, Jesus Luna, Christoph Reich

Erschienen in: Guide to Security Assurance for Cloud Computing

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Accountability is a critical prerequisite for effective governance and control of corporate and private data processed by cloud-based information technology services. This chapter clarifies how accountability tools and practices can enhance cloud assurance and transparency in a variety of ways. Relevant techniques and terminologies are presented, and a scenario is considered to illustrate the related issues. In addition, some related examples are provided involving cutting-edge research and development in fields like risk management, security and Privacy Level Agreements and continuous security monitoring. The provided arguments seek to justify the use of accountability-based approaches for providing an improved basis for consumers’ trust in cloud computing and thereby can benefit from the uptake of this technology.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Security Certification for the Cloud: The CUMULUS Approach

Nächstes Kapitel DDoS Protection and Security Assurance in Cloud

http://www8.hp.com/us/en/software-solutions/siem-security-information-event-management/

http://www.ibm.com/software/products/en/qradar-siem/

https://www.logrhythm.com/

http://www.mcafee.com/us/products/enterprise-security-manager.aspx

http://uk.emc.com/security/security-analytics/security-analytics.htm

http://www.27000.org/

http://www.coso.org

http://www.isaca.org

http://www.sumologic.com

http://aws.amazon.com/cloudtrail/

https://logentries.com/

Alnemr R, Pearson S, Leenes R, Mhungu R (2014) COAT: cloud offerings advisory tool. In: Proceedings of CloudCom, IEEE, pp 95–100

Alnemr R et al (2015) A data protection impact assessment methodology for cloud. In: Proceedings of Annual Privacy Forum (APF), LNCS, Springer, October 2015 (to appear)

American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants (AICPA-CICA) (2015) Privacy maturity model. Available via http://www.cica.ca/resources-and-member-benefits/privacy-resources-for-firms-and-organizations/item47888.aspx. Cited 1 June 2015

Bennett CJ, Raab CD (2006) The governance of privacy: policy instruments in global perspective. MIT Press, Cambridge, MA

Butin D, Chicote M, Le Metayer D (2013) Log design for accountability. In: Proceedings of IEEE CS Security and Privacy Workshops (SPW), pp 1–7

Cayirci E, Garaga A, Santana de Oliveira A, Roudier Y (2014) A cloud adoption risk assessment model. In: Proceedings of Utility and Cloud Computing (UCC), IEEE/ACM, pp 908–913

Centre for Information Policy Leadership (CIPL) (2014) A risk-based approach to privacy: improving effectiveness in practice. Available via http://www.hunton.com/files/upload/Post-Paris_Risk_Paper_June_2014.pdf. Cited 1 June 2015

Cloud Accountability Project (A4Cloud). www.a4cloud.eu

Cloud Security Alliance (CSA): Cloud Controls Matrix (CCM). Available via https://cloudsecurityalliance.org/research/ccm/

10.

CSA: Cloud Trust Protocol (CTP). Available via https://cloudsecurityalliance.org/research/ctp/

11.

CSA: Open Certification Framework (OCF). Available via https://cloudsecurityalliance.org/star/

12.

CSA: Privacy Level Agreement (PLA). Available via https://cloudsecurityalliance.org/research/pla/

13.

CSA: Secure Cloud (2014). Available via https://cloudsecurityalliance.org/events/securecloud2014/

14.

European Commission (EC) (2012) Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, January 2012

15.

EC (2013) Cloud computing service level agreements: exploitation of research results

16.

EC (2014) Cloud service level agreement standardisation guidelines. C-SIG SLA

17.

European DG of Justice (Article 29 Working Party) (2010) Opinion 03/2010 on the principle of accountability (WP 173), July 2010

18.

European DG of Justice (Article 29 Working Party) (2012) Opinion 05/2012 on cloud computing

19.

European DG of Justice (Article 29 Working Party) (2014) Statement on the role of a risk-based approach in data protection legal frameworks (WP218). Available via http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf

20.

European Telecommunications Standards Institute (ETSI) Cloud Standards Co-ordination Group (2013) Cloud standards coordination final report

21.

European Union Agency for Network and Information Security (ENISA) (2009) Cloud computing – benefits, risks and recommendations for information security

22.

ENISA (2014) Cloud certification schemes metaframework. Version 1.0, November 2014

23.

Felici M, Pearson S (eds) (2014) Report detailing conceptual framework. Deliverable D32.1, A4Cloud

24.

Felici M, Pearson S (2014) Accountability, risk, and trust in cloud services: towards an accountability-based approach to risk and trust governance. In: Proceedings of Services, IEEE, pp 105–112

25.

Gittler F et al (2015) Initial reference architecture. Deliverable 42.3, A4Cloud

26.

Hildebrandt M (ed) (2009) Behavioural biometric profiling and transparency enhancing tools, D 7.12, FIDIS

27.

International Data Corporation (IDC) (2012) Quantitative estimates of the demand of cloud computing in Europe

28.

International Organization for Standardization (ISO) (2014) (Draft) Information technology – cloud computing – service level agreement (SLA) framework and terminology. ISO/IEC 19086

29.

ISO (2014) Information technology – security techniques: guidelines on information security controls for the use of Cloud computing services based on ISOIEC 27002. ISOIEC 27002

30.

Jansen W (2010) Directions in security metrics research. TR-7564. NIST

31.

JBoss: Drools business rules management system solution. Available via http://www.drools.org/

32.

Kavanagh KM, Nicolett M, Rochford O (2014) Magic quadrant for security information and event management. Gartner

33.

Luna J, Langenberg R, Suri N (2012) Benchmarking cloud security level agreements using quantitative policy trees. In: Proceeding of the Cloud Computing Security workshop, ACM

34.

Mell P, Grance T (2011) The NIST definition of cloud computing, NIST Special Publication 800-145, September 2011

35.

National Institute of Standards and Technology (NIST) (2002) Risk management guide for information technology systems. SP 800-30. NIST

36.

NIST (2010) Guide for applying the risk management framework to federal information systems. SP 800-37. NIST

37.

NIST (2013) Cloud computing security reference architecture. NIST SP 500-299, vol 1

38.

NIST (2014a) (Draft) Cloud computing: cloud service metrics description. Public RATAX WG, NIST

39.

NIST (2014b) Cloud-adapted risk management framework. Draft NIST SP 800-173

40.

Nymity Inc (2014) Privacy management accountability framework

41.

Organisation for Economic Co-operation and Development (OECD) (2013) Guidelines concerning the protection of privacy and transborder flows of personal data

42.

Office of the Information and Privacy Commissioner of Alberta, Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner for British Colombia (2012) Getting accountability right with a privacy management program, April 2012

43.

Pearson S (2011) Toward accountability in the cloud. IEEE Internet Comput 15(4):64–69, IEEE Computer SocietyCrossRef

44.

Pearson S (2014) Accountability in cloud service provision ecosystems. In: Secure IT systems, LNCS, vol 8788, Springer, pp 3–24

45.

Pearson S, Wainwright N (2013) An interdisciplinary approach to accountability for future internet service provision. IJTMCC 1(1):52–72CrossRef

46.

Pulls T, Martucci L (2014) User-centric transparency tools. D-5.2, vol 1, A4Cloud

47.

Ruebsamen T, Pulls T, Reich C (2015) Secure evidence collection and storage for cloud accountability audits. In: Proceedings of CLOSER 2015, Lisbon, Portugal, 20–22 May 2015

48.

Stoneburner G, Hayden C, Feringa A (2004) Engineering principles for information technology security (A baseline for achieving security). SP800-27, NIST

49.

Telecom Italia: Java Agent Development Environment (JADE). http://jade.tilab.com

50.

Telecom Italia: JADE Agent Communication Language (ACL) (2005). Retrieved from http://jade.tilab.com/doc/api/jade/lang/acl/package-summary.html

51.

Wang C, Zhou Y (2010) A collaborative monitoring mechanism for making a multitenant platform accountable. In: Proceedings of HotCloud. Available from https://www.usenix.org/legacy/event/hotcloud10/tech/full_papers/WangC.pdf

52.

Wlodarczyk, Tomasz et al (2014) A4Cloud project: DC-8.1 framework of evidence. A4Cloud

Titel: Improving Cloud Assurance and Transparency Through Accountability Mechanisms
verfasst von: Siani Pearson
Jesus Luna
Christoph Reich
Verlag: Springer International Publishing
Buch: Guide to Security Assurance for Cloud Computing
Print ISBN: 978-3-319-25986-4

Electronic ISBN: 978-3-319-25988-8

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-25988-8_9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"